Controls library.

Decide and write down which party (your organisation, your partners, suppliers, customers or other t

Set up a process so that the services, products and materials you buy from suppliers support the res

Make sure your responsible approach to building and using artificial intelligence (AI) takes account

The organisation writes down an approved policy that sets the rules for how it builds and uses AI sy

Work out which of your existing organisational policies are affected by, or already apply to, your g

Your organisation regularly reviews its artificial intelligence (AI) policy, and reviews it again wh

Your organisation must clearly decide who is responsible for each part of managing artificial intell

Set up a clear, accessible way for people to raise concerns about your organisation's role in any AI

The organisation identifies and documents the resources needed for each stage of an AI system's life

Your organisation must keep a written record of the data resources used by each artificial intellige

Your organisation must keep written records of the tools used to build, run and support each AI (art

Your organisation keeps a written record of the system and computing resources used to run each arti

The organisation must record who works on its AI system across its whole life and the competences th

Have clear, approved security policies that everyone knows about and follows.

Create and communicate rules for how information and assets should be used to ensure security.

Ensure that employees and external parties return all company assets when their job or contract ends

Classify data based on security needs so everyone handles it correctly.

Create and use clear labels to show how sensitive information is, so it is correctly handled.

Ensure secure and controlled transfer of information within and outside the organisation.

Set and apply rules for who can access information and systems based on their security needs.

Ensure all user and system identities are managed from creation to deactivation.

Ensure secure and proper handling of passwords and authentication details.

Regularly check and adjust who can access sensitive information based on business rules.

Ensure suppliers of products/services do not pose security risks through defined processes.

Clearly assign security roles and duties to ensure nothing is overlooked.

A repeatable method for working out who an AI system could affect and how badly, covering single peo

Ensure suppliers meet agreed security requirements relevant to their relationship.

Ensure ICT supply chain security by managing risks with processes and procedures.

Keep track of and adapt to changes in how suppliers handle security and service delivery.

Ensure secure cloud service use with proper procedures for acquisition, management, and exit.

Ensure your organisation is ready to manage security incidents with clear processes and responsible

Evaluate security events to determine which are serious enough to be called incidents.

Ensure security incidents are handled quickly and effectively following set procedures.

Use knowledge from past incidents to boost security and prevent future issues.

Set up clear steps to gather and maintain evidence of security incidents securely.

Plan to keep information secure even when normal operations are interrupted.

Your organisation must write down the results of every AI (artificial intelligence) system impact as

Ensure no one person can perform conflicting duties alone to prevent misuse.

Ensure ICT systems are ready to support business goals during disruptions through proper planning an

Identify and stay updated on information security legal obligations to avoid breaches.

Develop procedures to safeguard intellectual property rights to avoid legal issues.

Ensure records are safe from loss, damage, falsification, and unauthorised access.

Ensure privacy and PII protection according to laws and contracts.

Ensure independent reviews of information security management at regular intervals or after signific

Regularly check if your organisation's security policies and rules are being followed.

Ensure procedures are written down and accessible to those who need them.

The organisation must assess and document how its artificial intelligence (AI) systems could affect

Managers must ensure everyone follows and supports the organisation's security policies.

Ensure you can quickly contact authorities like police or regulators for security issues.

Your organisation must assess and write down how each artificial intelligence (AI) system could affe

Maintain ties with security groups to stay updated on threats and best practices.

Gather and study threat information to improve your security measures and readiness.

Include security checks in all projects to prevent risks from new systems.

Keep an updated list of information and assets, specifying who owns and manages each.

Conduct background checks on all job candidates before hiring to manage risks.

Write down the responsible-development goals your AI systems must meet, then build checkpoints into

Write down the specific step-by-step processes your teams follow to design and build each AI (artifi

Ensure job agreements state everyone's info security duties clearly.

Before building a new AI system or materially changing an existing one, write down exactly what it m

Write down how each AI system was designed and built, and show that those design choices trace back

Define and document how you will verify (confirm the AI system is built correctly) and validate (con

Before an AI system goes live, write down how it will be deployed and confirm that the conditions fo

Your organisation must define and write down what is needed to keep each artificial intelligence (AI

The organisation decides what technical documentation each group needs about its AI (artificial inte

Your organisation decides, and writes down, at which stages of an AI system's life its event logs (a

Ensure everyone gets regular training and updates on information security relevant to their job.

Ensure staff understand consequences for breaking security rules to prevent violations.

Ensure security responsibilities are clear when employment ends or roles change.

Ensure all relevant parties sign agreements to protect confidential information.

Implement security measures to protect company info when working outside the office.

Ensure staff can quickly report security problems through official channels to prevent bigger issues

Define clear physical boundaries to protect sensitive areas and assets from unauthorized access.

Manage storage media safely from purchase to disposal based on your risk policies.

Make sure key equipment is safe from power and utility failures to avoid data loss.

Ensure cables are protected from interception, damage, or interference to prevent security risks.

Ensure all equipment is regularly maintained to prevent failures and protect data.

Ensure device data is erased or secured before disposal or reuse to prevent data breaches.

Ensure only authorised people can enter secure areas and prevent unauthorised access.

Set up, write down and actually follow clear processes for managing the data you use to build and im

Write down where each dataset feeding your AI came from and the criteria you used to decide it was t

Ensure physical security to prevent unauthorized access to offices and facilities.

Write down what "good enough" data means for each AI system: things like accuracy, completeness, how

Use systems like CCTV and alarms to detect unauthorized physical entry.

Plan and implement actions to prevent damage from natural and human threats to physical infrastructu

The organisation must define and document a process that records the provenance (the origin and hist

Write down how your organisation decides which data-preparation steps to apply and which methods to

Implement security measures to control and protect activities in secure areas.

Ensure desks and screens are clear of sensitive info to prevent unauthorized access.

Ensure equipment is placed safely to prevent damage or unauthorised access.

Ensure assets used outside the office are protected from theft or loss.

Ensure all laptops, mobiles, and tablets are secure to protect stored information.

Delete data you don't need anymore to reduce risk and comply with laws.

Use data masking to hide sensitive info based on policy requirements and legal obligations.

Implement measures to stop sensitive data from being leaked or stolen from your systems.

Keep and test backups of data and systems regularly as per backup policy.

Ensure systems have backups to avoid downtime and data loss.

Keep detailed logs of activities and events to detect attacks and ensure accountability.

Regularly check networks and systems for unusual activity to address potential security threats.

Ensure all system clocks are set to the same time source to aid in event tracking and investigations

Restrict and control programs that can override system controls to prevent unauthorised access.

Ensure software installations are controlled to prevent security risks.

Your organisation must work out and give users the information they need to understand and use the a

Control and limit who gets special access to sensitive systems to keep them secure.

Secure and manage networks to prevent unauthorized access to your information.

Ensure network services are secure, reliable, and meet agreed-upon standards.

Separate network groups to limit risks and control access between services, users, and systems.

Limit access to risky websites to avoid malware and phishing threats.

Create and enforce rules for using cryptography and managing keys effectively.

Set rules for secure software and system development to avoid costly production issues.

Ensure security needs are clear and approved when creating or buying applications.

Create and use guidelines for building secure systems in all development projects.

Ensure software is built securely to prevent vulnerabilities.

Ensure security tests are part of the development process to find issues early.

Give people outside your organisation, not just your own customers, a clear and public way to report

Limit access to information based on set policies to prevent unauthorised use.

Ensure your organisation oversees and checks outsourced development to maintain security.

Ensure development, testing, and production systems are separate to avoid disrupting live services.

Ensure all system changes follow a formal, approved process to prevent issues.

Choose and protect test data carefully to avoid exposing sensitive information.

Ensure audit activities are planned and agreed with management to prevent system disruptions.

Your organisation must create and write down a plan for how it will tell users of the AI (artificial

Control who can read and change source code to avoid risks and maintain security.

Use secure methods to confirm identities and control access to systems and data.

Your organisation must identify and write down every obligation it has to report information about i

Ensure resources are monitored and adjusted to meet current and future needs to prevent system slowd

Implement measures and train users to prevent and detect malware threats.

Identify and address software vulnerabilities to prevent exploitation and security risks.

Set and keep secure settings for all IT systems and watch for changes.

Your organisation must define and write down the processes that govern how artificial intelligence (

Write down the specific goals your organisation wants its AI use to live up to (things like fairness

Make sure each AI system is only used for the purposes it was actually designed and approved for, an

Make sure only approved software can run on office computers.

Ensure application control covers user and temporary folders to block unapproved software.

Allow only company-approved applications and scripts to run on work computers.

Ensure only approved applications can run on servers accessible from the internet.

Notify ASD promptly when cyber security incidents occur or are discovered.

Activate the cybersecurity response plan as soon as an incident is identified.

Ensure application control is in place everywhere except user profiles and temp folders.

Implement Microsoft's recommended blocklist to enhance security.

Check once a year or more that rules for allowing or blocking software are accurate.

Ensure all application control events are logged in a central location for monitoring.

Ensure that event logs are secure from being changed or deleted by unauthorized users.

Review logs from internet servers quickly to spot any security issues.

Timely analysis of events to spot and manage security incidents.

Report security incidents quickly to the security chief or their team.

Ensure only approved software can run on internal servers.

Ensure only approved drivers can run to prevent malicious code execution.

Use Microsoft's blocklist to stop vulnerable drivers from running.

Check server logs regularly to find security issues early.

Quickly check workstation logs to find any security events.

Ensure Internet Explorer 11 is not used to increase security.

Ensure web browsers block Java content from the internet to reduce security risks.

Ensure web browsers do not display internet ads to prevent potential security risks.

Users should not be able to change web browser security settings.

Harden web browsers using the strictest security settings from ASD or vendor guides.

Prevent users from changing PDF software security settings to enhance safety.

Ensure logging of PowerShell activities is centralised for monitoring.

Log all command line processes in a central location for monitoring.

Ensure event logs cannot be tampered with or erased without permission.

Regularly review event logs from internet-facing servers to spot security issues quickly.

Quickly review cyber events to find and manage security threats.

Report any cybersecurity incidents to the Chief Information Security Officer as soon as they happen.

Report cyber security incidents to ASD as soon as they're found.

Activate the response plan immediately after identifying a cyber incident.

Prevent Microsoft Office from starting other programs or activities on its own.

Prevent Microsoft Office from making executable files to stop malware.

Stop Microsoft Office from putting code into other programs to prevent security risks.

Ensure Microsoft Office is set up to stop risky linking and embedding features.

Ensure office suites follow the strictest security guidelines to reduce risks.

Ensure users cannot change security settings in office applications.

Prevent PDF programs from running other programs to improve security.

Secure PDF applications based on guidance to protect against hacks.

Ensure older versions of .NET Framework (3.5, 3.0, 2.0) are turned off or uninstalled.

Disable or remove Windows PowerShell 2.0 to enhance security.

Limit PowerShell's capabilities to reduce security risks.

Regularly check server logs not exposed to the internet for signs of hacking.

Quickly analyse workstation logs to detect security issues.

Ensure users use multiple ways to verify their identity when accessing sensitive company data online

Use multi-factor authentication for third-party services with sensitive data to prevent unauthorized

Use a second form of verification for accounts on services handling non-sensitive org data.

Ensure users use multi-factor logins for online services with sensitive customer data.

Use multi-factor authentication to secure accounts on third-party services that handle your sensitiv

Require multiple forms of ID for customer logins to protect sensitive online data.

Use something you have and something you know to secure access to important data.

Ensure privileged users use more than just a password to access systems.

Notify the Chief Information Security Officer quickly after discovering cyber attacks.

Notify ASD quickly when a cybersecurity incident occurs or is discovered.

Activate the response plan immediately once a cyber incident is detected.

Require additional authentication methods for regular system users.

Ensure two-factor authentication can't be bypassed by phishing attacks.

Ensure system login methods resist phishing attacks using multiple authentication factors.

Ensure all successful and failed MFA attempts are logged in one central location.

Ensure event logs cannot be changed or deleted without permission.

Regularly check logs from online servers to quickly spot security issues.

Timely analyse cybersecurity events to identify incidents quickly.

Use multiple verification methods to authorise access to data storage systems.

Use multi-factor authentication that resists phishing for customers accessing online services.

Use secure multi-factor authentication methods to protect data repositories against phishing attacks

Regularly check event logs from internal servers to catch security issues quickly.

Ensure workstation event logs are reviewed quickly to spot cybersecurity issues.

Use automated tools every two weeks to find all devices for security checks.

Use a current vulnerability scanner to check for security issues in your apps.

Use a daily scanner to find missing security updates for online services.

Use a tool every week to check and update key software like browsers and office apps to fix security

Ensure critical software updates are installed within 48 hours to prevent security risks.

Install updates for online services within two weeks if not critical and no exploits exist.

Remove online services that the vendor no longer supports to enhance security.

Remove office, browser, and security software that is no longer supported by the vendor.

Use a vulnerability scanner every two weeks to find missing patches in non-core applications.

Apply patches for non-critical apps within a month to fix vulnerabilities.

Apply critical patches to important software within 48 hours of release.

Ensure software patches for non-critical flaws are installed within two weeks if no exploits exist.

Ensure unsupported non-critical applications are removed for security.

Use an automated tool to find all system assets every two weeks for security checks.

Ensure a vulnerability scanner with current data is used to check for security issues.

Use a tool every day to find and fix missing updates on servers and network devices facing the inter

Use a vulnerability scanner every two weeks to check for missing OS updates on internal systems.

Apply critical updates to internet-facing systems within 48 hours to prevent exploitation.

Apply non-critical patches to internet-facing systems within two weeks if no exploits exist.

Ensure that all outdated and unsupported operating systems are replaced with supported versions.

Use a vulnerability scanner every two weeks to find missing driver updates.

Use a vulnerability scanner every two weeks to find and update missing firmware patches.

Quickly install critical updates on internal systems to fix security vulnerabilities.

Apply OS patches on internal devices within a month if they aren't critical and have no known exploi

Ensure critical security updates for drivers are applied within 48 hours to prevent exploitation.

Ensure drivers are updated within a month if the vulnerabilities are non-critical and no exploits ex

Ensure firmware vulnerabilities are fixed quickly, within 48 hours if critical.

Apply patches for non-critical firmware vulnerabilities within a month if no exploits exist.

Ensure your operating system is up-to-date with the latest or previous version.

Check and approve requests for admin access to systems and data at the start.

Ensure admins use special accounts only for their admin work.

Block admin accounts from internet and email to enhance security.

Only allow privileged accounts the minimum access needed for online duties.

Ensure privileged users have separate work environments for admin tasks and regular tasks.

Ensure that non-admin accounts cannot access admin-level systems.

Ensure privileged accounts can't be used in unsecured setups to limit risk.

Ensure privileged access is reviewed and renewed annually for continued access.

Quickly review cyber events to spot security incidents.

Report security incidents to the security officer quickly after finding them.

Notify ASD quickly about any cyber attacks or breaches.

Start the response plan immediately after a cyber incident is detected.

Disable admin accounts if unused for 45 days to improve security.

Ensure that secure environments are not run within less secure ones.

Require admins to use secure jump servers for management tasks.

Ensure admin account credentials are strong, unique, and well-managed.

Keep logs of admin actions in a central place to monitor for misuse.

Ensure logs of admin account and group changes are stored in one place.

Ensure event logs cannot be changed or deleted without authorisation.

Quickly check logs from servers open to the internet for security issues.

Ensure privileged access is granted only when needed to perform specific duties.

Conduct admin activities on secure, dedicated workstations only.

Grant high-level access only when needed and for limited times to enhance security.

Ensure features that protect memory from exploits are enabled to prevent unauthorized code execution

Ensure LSA protection is on to prevent malware from stealing credentials.

Enable Credential Guard to protect credentials from attacks by isolating them.

Prevent admin credentials from being exposed during remote logins.

Review logs of internal servers promptly to spot security threats.

Regularly check logs on office computers to find security issues early.

Ensure backups match business needs and help restore data after incidents.

Ensure data, applications, and settings are backed up together to restore them to the same point in

Ensure backups are kept securely and can withstand failures.

Ensure data and apps can be restored to a common point using backups in disaster scenarios.

Ensure that unprivileged accounts can't access other users' backups.

Ensure non-admin users cannot change or remove backup files.

Ensure only backup administrators can access all backup data.

Ensure privileged users can't change or remove backups, except backup admins.

Ensure basic user accounts are unable to access or manage their backup data.

Ensure accounts with special access cannot view their own backup data.

Ensure backup admins can't change or remove backups until retention ends.

Ensure only users with a specific business need can run Microsoft Office macros.

Prevent macros in files from the internet from being opened in Microsoft Office.

Ensure antivirus scanning is active for macros in Microsoft Office documents.

Ensure users cannot alter macro settings in Microsoft Office applications.

Block Office macros from running code that interacts directly with Windows.

Allow only macros from trusted locations, sandboxes, or signed by trusted publishers.

Ensure Office macros are safe from malicious code before trusting or signing.

Ensure that only specific users can edit trusted macro locations to prevent malicious code.

Block untrusted Microsoft Office macros from being enabled using standard interface warnings.

Prevent enabling of macros not signed with V3 signatures using standard Office UI controls.

Regularly check and confirm trusted publishers in Microsoft Office to prevent unauthorized macro use

System owners consult officers to add extra security controls based on system specifics and organisa

System owners must get permission from an authorising officer to operate certain systems.

Ensure there is a continuous and effective plan for safeguarding cyber activities and data.

Create a security plan detailing system purpose, management, and additional controls.

Ensure systems are managed effectively with developed and maintained procedures.

Create a plan detailing how to handle and report cyber security incidents effectively.

Cyber security documents need approval from the chief security officer or system officer based on th

Include security needs in contracts with service providers and review them to ensure they meet curre

Only Australian nationals should control systems handling sensitive Australian data.

Sensitive gateways must have an IRAP assessment at least every two years using the latest ISM standa

Workstation event logs must be checked promptly to find any cybersecurity issues.

Ensure cyber security staff have tools to detect and identify security threats and incidents.

Inform the chief information security officer quickly after any cyber incident is found.

Create and keep a log of any cyber security incidents that occur.

When a data spill occurs, notify the data owner and limit access to protect information.

Before collecting evidence of cyber intrusions, get legal advice.

Investigators keep evidence intact by documenting actions, ensuring custody, and following law enfor

Report cyber incidents to ASD immediately when they're identified.

Service providers must report cyber incidents quickly to a specified contact as part of their contra

Notify security officers quickly if cryptographic equipment or keys might be compromised.

IT equipment and media are protected against unauthorized access when not actively being used.

Ensure that unauthorised individuals can't see computer screens or keyboards in secure areas.

Install cables according to Australian Standards as required by the communications authority.

SECRET cables must be kept separate in their own bundles or conduits to enhance security.

Use visible glue to seal plastic and TOP SECRET conduit joints in shared spaces.

Use special seals to secure TOP SECRET cable covers in shared spaces to prevent tampering.

Before entering top secret audio rooms, consult ASIO and follow their guidance.

TOP SECRET conduits must have labels every 5 metres, marked 'TS RUN', and be at least 2.5 cm by 1 cm

Ensure cables are labelled correctly by setting up and following specific procedures.

Keep a detailed record of each cable, including ID, colour, and location, to ensure proper cable man

Maintain a detailed record of cables and regularly check it for accuracy.

Secret and top secret cables must be connected to separate patch panels for security.

TOP SECRET patch panels must be within their own separate cabinets to enhance security.

Install barriers and restrict access to mix different security level patch panels in cabinets.

Ensure long TS fibre-optic cables are protected, easy to inspect, and labelled at the equipment end.

Ensure no unauthorised RF or IR devices are brought into high-security areas.

Staff are informed about what sensitive information can be talked about on phone calls.

Staff are informed about security dangers of using unsecured phones for sensitive talks.

Telephone systems must show a visual cue for the security level of a call when using encryption.

Sensitive phone calls should be encrypted to prevent eavesdropping when using outside systems.

Do not use cordless phones for sensitive talks unless they use ASD-approved encryption.

Speakerphones can only be used in secure rooms when discussing TOP SECRET matters.

Use features to prevent phone conversations being heard in sensitive areas.

Do not send sensitive information using paging or messaging apps.

Do not connect multifunction devices (MFDs) to digital telephone systems.

When an emanation security risk assessment is required, it is sought as early as possible in a syste

Private devices must keep classified work data separate from personal data to protect sensitive info

IT equipment is required to comply with standards to prevent electromagnetic interference.

All staff receive yearly training on using and protecting systems, and reporting incidents.

Develop and maintain a policy to manage how the web is used and accessed.

All web access must go through web proxies to control and monitor internet use.

Record details of websites accessed through web proxies, including web address and user info, for se

Gateways decrypt and check TLS internet traffic for safety reasons.

Create and uphold a policy to guide the use of email communications.

Prevent access to webmail services that haven't been approved by the organisation.

Sensitive emails must not go to groups unless all recipients' nationalities are confirmed.

Emails must be marked to show their highest confidentiality level based on content.

Protective tools for emails don't automatically add security labels to your messages.

Ensure users cannot choose classification levels the system cannot handle.

Prefer products evaluated against protection profiles over those with EAL evaluations for procuremen

Products must be delivered according to any specified delivery methods in evaluation documents.

Contact ASD for delivery procedures when buying high-security IT equipment.

Ensure evaluated products are set up and run correctly following vendor instructions and evaluated s

Ensure high-grade IT gear is set up and operated per ASD standards for security.

Label IT equipment based on the sensitivity of the data it handles.

Label IT equipment, except high assurance, with appropriate sensitivity or classification markings.

Seek approval before labelling high assurance IT equipment to ensure security standards.

Ensure patches and updates are applied correctly using a centralised system for better security.

Security patches for critical IT must be approved and applied as directed by ASD.

Applications no longer supported by vendors, except some key types, should be removed for security.

Ensure IT equipment maintenance is done onsite by technicians with proper clearance.

When a technician who lacks the required security clearance works on your IT equipment, a suitable c

Sanitise IT equipment if repairs are made by non-cleared technicians.

Off-site IT repairs must be at approved facilities matching the equipment's classification level.

Remove or clean media from IT equipment to ensure data is not left on the device.

Sensitive IT gear overseas must be sent back to Australia for destruction if it can't be cleaned the

Organisations must create and uphold processes for properly cleaning and disposing of IT equipment.

High assurance IT equipment must be destroyed before disposal to prevent data leaks.

Before IT equipment is publicly released, it must be sanitised and authorised after a formal decisio

Print three full pages of random text to ensure no data remains on printer cartridges or drums.

Destroy printer cartridges or print drums if they can't be sanitised, like other memory devices.

Ensure secure disposal of certain IT equipment by consulting the ASD for requirements.

Media should be classified by the highest level of data sensitivity it contains.

Media connected to more sensitive systems is upgraded to match the highest security level.

Before lowering media classification, it must be cleaned or destroyed and a formal decision made.

All media, apart from fixed drives built inside equipment, must carry a label showing how sensitive

Keep a regularly checked list of IT equipment connected to the network.

Media must only be used with systems that are authorised for its sensitivity level.

Ensure removable media cannot run programs automatically when inserted.

Disable writing to removable media unless it's necessary for business.

Disable external communication ports that could directly access system memory to prevent unauthorise

When moving data between different security levels, make sure to use media that can't be changed, un

Organisations must create, apply, and keep up media sanitisation methods and procedures.

Media that can't be cleaned of data must be destroyed before getting rid of it.

Turn off power to the storage device for 10 minutes to fully clear data.

Ensure SECRET and TOP SECRET media are made unreadable by overwriting with random data and verifying

Erase non-volatile magnetic media by overwriting with random data, ensuring old data cannot be acces

After cleaning, classified magnetic media must still be treated as classified.

Erase and overwrite EPROM with UV exposure and a random pattern to ensure data is completely removed

Even after erasure, certain memory devices stay classified as SECRET or TOP SECRET.

Non-volatile flash memory is wiped by overwriting it twice with random data, then checked to ensure

Even after being sanitised, flash drives for SECRET and TOP SECRET still need to be treated as class

Magnetic media is destroyed by ensuring the degausser has the right strength and orientation of the

Ensure magnetic media is degaussed according to the manufacturer's instructions to properly erase da

Ensure your organisation creates and follows proper media destruction procedures to securely dispose

Destroy media so resulting particles are no bigger than 9 mm to prevent data recovery.

Ensure destroyed media is supervised by a qualified person for security purposes.

Staff must oversee media destruction to ensure it is done correctly and completely.

Media destruction must be overseen by at least two security-cleared staff members.

Supervisors ensure accountable material is destroyed properly and sign a certificate to confirm it.

Organisations must create and uphold procedures for securely disposing of media.

After data is erased or destroyed, a formal decision allows media to be sent to the public.

Remove all identifying labels from media before throwing it away to ensure no information can be tra

Remove or turn off unnecessary user accounts and services on operating systems to improve security.

Ordinary users cannot remove or turn off approved apps on their own.

Change or disable default OS user accounts during setup to enhance security.

Each server should perform its own distinct function and not share a machine or operating environmen

Databases should be classified according to how sensitive the data they contain is.

Development areas are kept separate to enhance security and efficiency in software projects.

Follow Secure by Design practices throughout software development to ensure security.

Software is regularly tested for security vulnerabilities using various testing methods before and a

Requests for basic system access are checked when they are first made.

Keep a secure record of who accessed the system, who authorised it, and details of their access leve

A login message that reminds users of their security duties when accessing the system.

Foreign nationals can't access certain sensitive data unless security measures prevent it.

Foreign nationals need strict controls to access systems handling AGAO data.

People accessing systems must have unique identifiers to ensure accountability.

Ensure shared user accounts are used carefully, with each user clearly identified to maintain securi

If systems can't use multi-factor authentication, they should use passwords for single-factor authen

Store physical credentials away from systems except when logging in.

Ensure foreign nationals using the system are identified by their nationality for sensitive data sec

Passwords for sensitive systems must have at least 15 characters to enhance security.

Passwords on TOP SECRET systems should be at least 20 characters to ensure strong security.

Sessions lock after inactivity or maximum duration, blocking access until users re-authenticate with

Revoke system access for individuals as soon as it's no longer needed.

System access rules must be documented in each system's security plan to ensure proper access manage

Staff need job screening and security clearance for system access.

Staff must be briefed before accessing system resources.

When given temporary system access, personnel can only see data needed for their job.

Temporary access is not allowed for systems handling highly sensitive information.

Privileged users must have separate accounts for administrative tasks to enhance security.

Foreign nationals can't access Australian systems with sensitive data privileges.

Foreign nationals can't have privileged access to systems handling AGAO data except if seconded.

Ensure encrypted data can be accessed if the encryption key is lost or damaged.

Use approved cryptographic tools to encrypt sensitive or protected data to ensure security.

Use encryption to protect data on disks, ensuring all writings are to encrypted areas only.

HACE ensures the encryption of media with SECRET or TOP SECRET data is secure.

IT systems are treated according to their original sensitivity when accessed using encryption.

Use evaluated cryptographic tools to protect sensitive data on insecure or public networks.

Use HACE to secure SECRET and TOP SECRET data on less secure networks.

When data moves across networks, encrypt it using an approved (AACP) or high assurance cryptographic

Ensure cryptographic tools use only ASD-approved or high-assurance algorithms for security.

Ensure Diffie-Hellman encryption uses at least a 2048 bits modulus for secure key agreements.

Use ECDH with a base point order and key size of at least 224 bits, preferably NIST P-384, for secur

Ensure stronger digital signature security by using ECDSA with a key size of at least 224 bits, idea

Use a minimum 2048-bit RSA modulus for better security in digital signatures and key transport.

Use separate RSA key pairs for signing and key transportation to enhance security.

Symmetric encryption should not use ECB mode as it is less secure.

Ensure only approved secure cryptographic protocols are used in equipment and software.

Ensure SSH settings enhance security by limiting access, disabling risky features, and ensuring safe

Ensure SSH connections use public key authentication for enhanced security.

When logging in without a password via SSH, certain access features like port forwarding and X11 are

Ensure SSH without passwords uses specific commands and checks parameters for security.

SSH-agent caches must be used on systems with screen locks and expire after 4 hours of inactivity.

Only use S/MIME version 3.0 or later for secure email communications.

IPsec connections should use tunnel mode; if using transport mode, ensure an IP tunnel is used.

ESP protocol is needed to securely encrypt and authenticate IPsec connections.

IPsec connections should expire in less than four hours to maintain security.

Follow ASD's security rules for operating and managing communication systems safely.

Cryptographic equipment is moved securely depending on the sensitivity of its keys.

Ensure systems have established processes for managing cryptographic keys securely and efficiently.

Create network diagrams showing connections, critical servers, and security devices for proper docum

Ensure that network documentation is regularly created, updated, and kept available to support netwo

Ensure only approved devices can connect to the network, blocking unauthorised access.

Turn off IPv6 capabilities on network devices unless they are actively being used.

Do not use VLANs to separate networks with different security levels.

VLANs must be managed from the most secure and trusted part of the network.

Network devices should have any unused physical ports turned off to prevent unauthorized access.

Ensure network devices do not use shared paths for VLANs from different security areas.

Ensure public wireless networks are separate from organisation networks for security.

Ensure firewalls and proxies can handle video and voice data for secure conferencing and calls.

Video and IP calls must use secure protocols to keep communications private and safe.

Video and IP calls must use secure protocols to protect communication.

Keep video conferencing and internet phone (IP telephony) traffic separated, either by physical cabl

Ensure only authorised IP phones can register and use the network, blocking unauthorised and unused

Ensure all video call actions and settings changes are verified with authentication and authorisatio

Video calls must use secure two-way authentication to ensure calls are encrypted and cannot be reuse

Users must be verified for all actions such as registering phones and accessing voicemail on IP tele

Keep video conferencing and IP phone data separate from other data using VLANs or similar methods.

Public area IP phones cannot connect to data networks or access voicemail and directories.

Don't use microphones or webcams on non-classified computers in areas handling SECRET projects.

Email servers stop and track emails with wrong markings to prevent mistakes.

Ensure email servers only relay emails within their own domains to prevent misuse.

Emails are processed through central gateways for improved control and security.

Alternative email gateways must be kept to the same standards as the main gateway to ensure consiste

Emails should be sent through secure and encrypted channels using central gateways.

Ensure email servers use encryption to protect emails sent over public networks.

SPF helps confirm which email servers are allowed to send emails for your organisation's domain.

Organisations must create and keep an updated cyber security incident management and response plan.

A security monitoring policy must be developed (written down), implemented (actually put into practi

Important Windows security events are collected in a central location to monitor system activities.

Record details like time, user, and equipment for each logged event.

Establish a policy to guide the proper use of multifunction devices.

Multifunction devices should not scan or copy documents that are more sensitive than the network the

Multi-function devices should have security measures as strong as those for computers they connect t

Use verified switches to safely share devices between different computer systems.

Consult ASD when adding connections to cross domain systems and follow their guidance.

Users must be trained on securely using CDSs before they can access them.

Gateway admins have only the necessary access permissions for their tasks.

Gateway system admins must be formally trained to operate and manage the gateways effectively.

Only Australian nationals can manage gateways to certain secure networks.

Different people handle administrative tasks for gateways to reduce security risks.

Ensure users verify their identity before accessing networks through gateways.

IT devices must prove their identity to access networks through gateways.

Cross Domain Solutions connect SECRET or TOP SECRET networks with other networks securely.

Set up gateways to securely connect networks from different security levels.

Secure shared network components by assigning management to higher security system admins or a trust

Gateways should block any data transfers not specifically approved.

Log gateway events and alerts to monitor data flows and detect intrusion attempts.

Systems manage separate and secure network paths for upward and downward data movements to prevent s

Gateways use demilitarised zones to safely allow outside parties access to organisational services.

Ensure diodes for secure data flow in sensitive networks are thoroughly evaluated for high security.

Use special devices (diodes) to ensure data flows one way only between networks, enhancing security.

Ensure diodes used between secure and public networks are highly evaluated for safety.

Ensure only permitted file types are imported or exported through gateways.

Block files flagged as harmful or that cannot be scanned to prevent threats.

Files flagged as risky are held until checked and cleared or blocked.

Ensure data is checked for viruses and threats before being imported into systems.

Files passing through gateways or security systems are checked for unwanted or harmful content.

Check logs every month to ensure safe data transfers in top-secret systems.

Users are responsible for the data they move between systems.

Ensure data transfers are securely conducted with proper procedures in place.

Ensure data from high-security systems is checked and approved before export.

Only verified and authorised people or services can handle SECRET or TOP SECRET data exports.

Check signatures and keywords when exporting data at SECRET or TOP SECRET levels.

Ensure all key security events of Cross Domain Solutions are logged centrally for monitoring.

Data from SECRET and TOP SECRET systems must be signed by a trusted source before export.

Files with digital signatures or checksums must be verified at system boundaries to ensure integrity

Bluetooth must be turned off on mobile devices with SECRET or TOP SECRET information to prevent data

Use only ASD-approved mobile platforms for accessing SECRET or TOP SECRET data.

Personally owned mobile devices and desktop computers must never be used to access SECRET or TOP SEC

The Chief Information Security Officer (CISO) manages cyber security staff in the organisation.

Ensures cryptographic keys are erased on SECRET or TOP SECRET devices in emergencies.

Ensure that devices accessing the organisation's network through VPN do not use split tunnelling for

The organisation must appoint a Chief Information Security Officer (CISO) who provides cyber securit

The CISO is in charge of managing the organisation's cyber security staff.

The CISO must regularly update the board or executive committee on cyber security issues.

The CISO creates and updates a strategy to share the organisation's cyber security goals effectively

The CISO sets up metrics and indicators to measure and track cyber security performance in the organ

The CISO aligns cyber security with business by regularly meeting with a dedicated committee of key

The CISO ensures business and security teams work together effectively on managing security risks.

The CISO is responsible for managing risks in their organisation's cyber supply chain.

The CISO is responsible for handling the organisation's dedicated cyber security funds.

The CISO should be informed about all cyber security incidents in the organisation.

The CISO helps to ensure recovery plans are in place to maintain essential services during a disaste

Classified systems are kept in secure locations fitting their classification level.

Ensure classified systems are in facilities suitable for their security needs.

Make sure rooms with servers and security equipment are always locked or secured.

Staff learn to recognise and report suspicious online contact.

Staff should not share work info on unauthorised sites and must report if such info is found online.

Employees should be aware of the dangers of posting their personal info on the internet.

Staff should not use online services for files unless approved to avoid security risks.

Use security measures to find and handle unauthorised RF devices in secure zones.

Handle media carefully based on its sensitivity to keep information safe.

Volatile media (memory that normally loses its contents when power is removed, such as RAM modules)

Erase EEPROM data by overwriting it with random data and checking it to ensure it's properly wiped.

Do not allow external companies to destroy media with sensitive data.

Use certified services for destroying non-accountable material to ensure security and compliance wit

Application control is used to secure workstations by managing which programs can run.

Application control is a security feature that only lets approved software run on a computer, blocki

Ensure that all user sessions end and computers are restarted every day.

AUSTEO and AGAO data is only accessible via government-controlled systems within authorised faciliti

Ensure emails from your organisation's domains use DKIM to verify authenticity and prevent forgery.

Mobile devices block users from installing apps that are not approved by the organisation.

Mobile devices ensure users cannot change or disable security features once set up.

Don't look at sensitive data on mobile devices in public unless you can shield your screen from othe

Mobile devices must use ASD-approved encryption for both internal and external storage.

Ensure mobile devices are secure when not in use to prevent unauthorized access.

Ensure mobile devices are watched carefully whenever they are in use to avoid loss or theft.

Mobile devices and desktop computers access the internet via an organisation's internet gateway rath

Cyber security documentation is reviewed at least annually and includes a 'current as at \[date\]' o

Ensure systems have a plan for managing changes, including approvals and notifications for both rout

Systems with malware are isolated, scanned, cleansed, or restored to stop the infection.

Do not use salmon pink or red for non-classified, sensitive, or protected cables.

In SECRET and TOP SECRET areas, special handsets or headsets are used to prevent unintended audio tr

Choose vendors who prioritise secure design and development in their applications.

Clean rewriteable media after transferring data between systems of different security levels.

Ensure applications are controlled using secure hashing, valid certificates, or designated paths.

Create a list of approved or blocked domains for secure web traffic management.

Web filters block active content from unapproved websites.

Web filters help block harmful content from the internet.

Developers must use OWASP standards for building secure web applications.

Unprivileged system users must use multi-factor authentication to log in to enhance security.

Logs must use a reliable time source for accuracy and consistency.

ECDH is preferred over DH for secure data exchanges.

Use specific algorithms for authenticating IPsec connections, preferring none if AES-GCM is used.

For IPsec connections, use DH/ECDH methods to securely establish keys with specific group sizes for

Use PFS to ensure past IPsec keys can't be used if current ones are compromised.

Security measures are in place to ensure that only authorised users can access network management sy

RF shielding is used to control the wireless signal range and keep it limited to an organisation's s

Ensure each user has a unique login when using IP phones for secret conversations.

Create and maintain a plan to handle service disruptions for video calls and IP telephony.

Notify people if their sent or received emails are blocked due to marking issues.

Only verified senders get notified if their email cannot be delivered.

Ensure that DKIM signatures on received emails are checked to identify legitimate sources.

Ensure email lists don't invalidate DKIM signatures from external senders.

Install systems at network gateways to monitor and protect against unauthorised access or threats fr

Install and configure systems to detect and alert on unauthorized network traffic past the main fire

Ensure older and less secure authentication methods are not used to protect network security.

Multifunction devices (combined printers, scanners, copiers and fax machines) are located in open, v

Gateways are tested every six months or after changes to ensure they meet security standards.

Ensure physical security for critical equipment based on its classification.

Systems must disable outdated LAN Manager and NT LAN Manager authentication to enhance security.

All data held on storage media must be encrypted using cryptography approved by the Australian Signa

Reset hidden and configuration settings on hard drives before erasing them to ensure nothing is over

Use secure erase plus software to fully overwrite data on hard drives, including hidden areas.

Every system should have a specific person responsible for managing it.

Service providers need a contract before accessing or managing your systems.

Ensure keys to server and communication rooms are securely managed.

Televisions and computer monitors that show minor burn-in or image persistence must be sanitised by

Create and keep a policy for how phones should be used within the organisation.

Get ASD's approval before repairing sensitive IT systems.

Ensure that data at rest is encrypted using strong cryptographic algorithms like AACA for high secur

Ensure a policy is in place to guide how mobile devices are used in the organisation.

Personnel are informed about what levels of classified communication are allowed on mobile devices.

If you can't secure a mobile device, it must be carried in a security bag or similar for safe transp

Mobile devices must encrypt sensitive data sent over public networks using approved cryptography.

Inform your employer immediately if your mobile device is compromised or shows unusual behaviour whi

Email reply or forward tools must not allow reducing security markings from the original.

Change encryption keys if they are compromised to maintain security.

Label wall outlet boxes with system, cable, and box identifiers for easy identification.

Label cables on both ends for easy identification and inspection of where they start and end.

In TOP SECRET areas, cables connecting to cabinets outside server rooms stop at the cabinet edge.

TOP SECRET cables must be connected only in designated TOP SECRET cabinets for security purposes.

In TOP SECRET areas, ensure cables are terminated very close to cabinets for security.

Ensure cables are ended near cabinets to improve connection and organisation.

In top secret areas, cables must end at the cabinet's edge unless in server or communications rooms.

Wall outlets for SECRET and TOP SECRET should only have cables that match these classifications.

Wall outlet boxes must not be coloured salmon pink or red to ensure proper classification.

Wall outlet covers must be transparent plastic to visually inspect without obstruction.

Use fibre-optic cables instead of copper to improve data security and efficiency in cabling infrastr

Cables outside TOP SECRET areas should be easy to inspect every five metres for security checks.

Cables and conduits in shared spaces must be visibly separated or partitioned to ensure safety and o

Ensures cables in walls are protected by running through flexible or plastic conduits.

Ensure there's a visible gap between top secret and other cabinets for security reasons.

Cables in highly secure areas must be checked along their entire length for any issues.

Ensure TOP SECRET cables that pass through walls to lower security areas are protected by conduits a

All Top Secret IT equipment must use power from a board with a UPS to maintain functionality during

Ensure cables in shared buildings are placed in closed pathways to prevent tampering.

In shared buildings, do not place TOP SECRET cables within walls shared with other spaces.

System owners must ask for a security risk assessment when setting up SECRET or TOP SECRET systems.

Ensure only the latest TLS version is used to secure connections.

Ensure patches for systems are regularly updated and processes are in place to manage this.

Privacy filters help keep sensitive information on mobile screens private in public spaces.

Keep your personal and work user accounts separate when using online services.

SPF helps confirm if an email really comes from who it claims to, preventing fake emails.

When destroying media, use degaussers approved by the NSA to ensure effectiveness.

Diodes ensure secure, one-way data flow between secret and other networks.

Only use NSA-approved degaussers to securely erase data from storage media.

Each system must have a written continuous monitoring plan that covers three things: (1) running sec

In shared spaces, use clear plastic for cables on ceilings, floors, and walls to ensure visibility.

Web filters prevent website access if using an IP address instead of a domain name.

Privileged users must verify their identity using multiple forms of identification to log into syste

Privileged accounts can't access the internet or web services unless explicitly allowed.

When sharing network details, only provide what's needed for others to fulfil their contracts.

Networks have separate zones based on the importance of servers, services, and data.

Restrict network traffic flow to ensure it only supports business needs.

Use a strict SPF record to ensure only authorised servers send emails on behalf of the organisation.

Use network security devices that support IPv6 to protect networks using IPv6 or both IPv6 and IPv4.

When exporting data manually, ensure it doesn't have improper protective markings.

Gateways check and filter data to ensure only safe data passes through the network.

Use certified management solutions to ensure mobile devices follow security policies.

Bluetooth on mobile devices is only discoverable during pairing to protect sensitive information.

Ensure Bluetooth connections for devices are only made with intended, authorised equipment.

Remove Bluetooth pairings on certain mobile devices when they are no longer needed.

Use secure methods when pairing Bluetooth on sensitive mobile devices, like numeric comparison.

System owners work with authorising officers to assess threats and risks for each system.

Admins follow a defined plan for system changes to ensure proper management.

Capture and analyse network traffic for a week to ensure hackers are removed after an intrusion.

Non-standard cable colours for SECRET and TOP SECRET must be labelled correctly at inspection points

Before throwing away IT equipment, remove any labels that show ownership or use.

Overseas IT equipment with sensitive data must be sanitised where it is located.

Inspect multifunction device print drums and image transfer rollers, and destroy any that still hold

Check printer surfaces, and destroy them if they have any leftover text or images.

Network devices should be cleared of data using specific steps to ensure memory is secure.

Televisions and monitors that can't be cleaned of data are to be physically destroyed.

Network device memory is cleaned by following specific guidance or doing a reset and reinstalling fi

User account passwords must be created randomly to enhance security.

Timely analysis of security events to spot incidents.

Ensure secure IPsec connection by using IKE version 2 for exchanging keys.

Checks emails for harmful content to keep systems safe.

Limit application extensions to those approved by the organisation.

Web filters block known harmful domains and those registered anonymously or for free.

Use web filters on outgoing internet traffic to block unsuitable content where necessary.

Use threat modelling to identify potential risks when developing software.

Develop web apps using strong frameworks to enhance security.

All internet-received inputs for software must be validated and cleaned to prevent security issues.

Web applications must correctly encode all their outputs to prevent security risks.

Maintain an up-to-date list of databases and check it regularly to ensure accuracy.

Ensure temporary files are deleted after installing server applications to maintain system security.

Servers are secured using the most restrictive guidance from ASD and vendors to protect against vuln

Remove unnecessary accounts and features from servers to enhance security.

Server apps must run separately with only the necessary permissions to operate.

Server applications have restricted user account access to the server's file system.

Users can only access or change database information if it's part of their job.

Use file permissions to safeguard database files from unauthorised access.

Change or remove default user accounts and passwords in server apps to enhance security from the sta

Administrators must use unique accounts to manage each server application.

Only authorised users can access database contents by using specific privileges, roles, and techniqu

Databases and web servers should be kept separate to enhance security.

Databases should be on a different network than user computers to enhance security.

Database server communications are limited to necessary network resources only.

If the database is only accessed locally, its network connection must be disabled or set to local on

Keep development and production database servers separate to ensure secure operations.

Production data can only be used in non-production areas if they are secured equally as well.

Checks ensure database queries from software are legitimate and correctly formatted.

Software should use parameterised queries or stored procedures to safely access databases.

Data exchanged between database and web servers must use approved encryption methods.

Software should reveal minimal database structure details in error messages.

Check files coming in and out of gateways to ensure they meet security standards.

Files going through gateways must be converted to ensure security and compatibility.

Files passing through gateways or CDSs are cleaned to remove harmful content.

Files going through gateways are checked with several antivirus programs for safety.

Archive files moving through gateways or Cross Domain Solutions are unpacked first so their contents

Ensure unpacked archive files do not disrupt system filters or cause unavailability.

Encrypted files must be decrypted to check their content when transferred through gateways.

Data transfer logs are checked monthly to ensure some accuracy and compliance.

Ensure network devices in public areas are secure from damage and unauthorised access.

Consult lawyers before allowing personal devices to access organisation's systems or data to prevent

Inform staff about privacy and security risks when taking mobile devices abroad.

This guideline advises on secure mobile device use to prevent data theft or compromise.

Upon returning from overseas, clean your devices, reset any lost credentials, and report any securit

During setup, change or remove default login details for network devices to enhance security.

Avoid using SNMP versions 1 and 2, as they are insecure for network management.

To enhance security, change default SNMP passwords and disable write access on network devices.

All wireless devices must have Wi-Fi Alliance certification for security standards.

Ensure that administrative access to wireless routers cannot be done through wireless connections.

Change default wireless network names to enhance security.

Ensure non-public WiFi network names (SSIDs) don't reveal info about the organisation or location.

Wireless networks should have their SSID broadcasting disabled for security.

Don't use fixed IP addresses for devices on wireless networks to enhance security.

Do not use MAC address filtering to control devices connecting to your wireless network.

Use secure EAP-TLS with certificates to authenticate devices and disable other methods.

Use evaluated devices and servers for secure wireless network authentication.

Devices and users must have certificates to connect to wireless networks.

Certificates must be created using approved secure tools to verify identities.

Certificates must be secured using access controls, encryption, and authentication to prevent unauth

Ensure that stored authentication data for networks isn't kept for more than a day.

Use WPA3-Enterprise 192-bit mode to secure information transferred over wireless networks.

Wireless networks should use different frequencies to avoid interference with each other.

Ensure wireless networks use the 802.11w standard to secure management frames from tampering.

Deploy many low-power wireless access points to cover an area instead of few high-power ones.

Ensure your computers are protected by constantly monitoring for threats.

Organisations must create and uphold a policy for using removable media safely.

Use officially approved devices for destroying media to ensure proper disposal.

Ensure VLANs from different security domains use separate network interfaces to avoid cross-traffic.

Apply security updates to mobile devices immediately upon availability to prevent security breaches.

Use AES-GCM to securely encrypt information sent over TLS connections.

Only the server can start secure renegotiation for TLS connections to maintain security.

Use DH or ECDH methods to securely establish keys for encrypted internet connections.

Do not use Anonymous Diffie-Hellman for secure connections to prevent security vulnerabilities.

Use secure certificates to prevent eavesdropping on data sent over the internet.

TLS connections must use SHA-2 for better security, acting as a key and message verifier.

Privileged users should work in distinct environments to increase security and reduce risks.

Administrative systems are isolated from the main network and internet to enhance security.

Only authorised admin systems should manage network settings, ensuring security and control.

Ensure all admin tasks are done through safer, intermediary servers to enhance security.

Files coming through gateways are tested in a safe environment to catch suspicious activities.

Only certain users can change files and folders as allowed by system rules.

Service providers must protect any entrusted data adequately.

Ensure work data and personal data are kept separate on employees' personal devices.

Users need to use multiple identification methods to ensure secure access.

Store credentials securely using a password manager, hardware module, or by enhancing them with tech

User accounts must lock after no more than five failed login attempts, with the lockout lasting inde

If a user doesn't use their system access for 45 days, it's disabled to keep the system secure.

Ensure all event logs are collected and managed in one central location for analysis and security mo

Use pre-configured software setups for all computers and servers to ensure consistency and security.

Use the latest or previous operating system version to keep systems up-to-date.

Use 64-bit operating systems if they are supported by your computer.

Ensure operating systems follow strictest security guidelines from ASD or vendors.

Web browsers must be set with the strictest security settings per ASD and vendor guides.

Use software firewalls to control what apps and services can connect to your network.

Install antivirus software on all computers and servers to detect and prevent malware and ransomware

If you don't need to use removable devices for work, access to them should be blocked.

Software development should only be done in dedicated development environments.

Data from live systems can't be used in test setups unless test setups are just as secure.

Ensure only authorised users can access the main software source to keep it secure.

Web servers use security headers to protect web applications from attacks.

Gateways block fake IP addresses to protect network entries.

IPv6 tunnelling on network devices should be disabled unless absolutely needed.

Configure your network security appliances to block IPv6 tunnelling traffic at every point where you

Use DHCPv6 to manage and log IPv6 addresses centrally for enhanced network organisation.

Discuss with cloud providers how to handle costs and actions for denial-of-service attacks to mainta

Ensure online service domain security by locking registration and verifying details.

Critical online services are kept separate to reduce the risk of service disruption from attacks.

Online services are hosted using cloud service providers for improved service continuity.

Use CDNs to keep websites running smoothly and available when needed.

Avoid sharing web server IPs and limit access to them by CDNs and authorised networks for security.

Ensure secure cryptography by using NIST-approved elliptic curves for encryption.

Use temporary DH or ECDH keys for secure TLS connections.

Ensure SSH keys have a password or are encrypted to prevent unauthorised access.

Do not use microphones or webcams with non-Top Secret devices in Top Secret areas.

Ensure contracts with service providers clearly state who owns the data.

Assess each supplier of operating systems, applications, IT and OT equipment, and services to unders

TLS connections must be set up to protect past data even if the server's private key is compromised.

Ensure RADIUS server communications are encrypted for increased security.

Ensure devices used to share equipment between classified systems meet high security standards.

Use software isolation tools from vendors committed to secure design principles and practices.

When software isolation shares one physical server for SECRET or TOP SECRET work, the server and eve

Ensure all user applications like email and web browsers are updated to their latest versions.

Unneeded user accounts, components, services and functionality within user applications must be disa

Use known publisher and product names to control which applications can run on a system.

The CISO is responsible for managing the organisation's cyber security and ensuring compliance with

Servers should reduce interaction with each other to enhance security.

Peripheral switches used between classified and unclassified systems must undergo a thorough securit

Organisation devices must keep classified and personal data separate to protect classified informati

Ensure that internet-facing server applications always use the latest software version.

Block web browsers from displaying online ads to enhance security.

Ensure web browsers are set to block Java from running online.

Only authorised users can edit trusted Microsoft Office macros to prevent malicious code.

Microsoft Office blocks macros from files downloaded from the internet to enhance security.

Users cannot alter the security settings for Microsoft Office macros, ensuring consistent protection

Ensure application security by using controls on servers exposed to the internet.

Prevent users without admin rights from running scripts or commands that could pose security risks.

Ensure operating system settings are adjusted to block potential attacks.

Ensure software lists for all IT equipment are up-to-date and regularly checked.

Replace operating systems that are no longer supported to maintain security.

Use two or more forms of identity verification to access sensitive data online.

Users need multiple forms of ID to access sensitive online services, enhancing security.

Require multi-factor authentication for accessing data storage to enhance security.

SSH version 1 is turned off to improve security for SSH connections.

Requests for special system access are checked before approval to prevent unauthorized use.

Only grant system privileges necessary for users to perform their job roles.

Keep records of high-level system access in one place to monitor and respond to potential issues.

Organisations must create and keep up-to-date a policy for preserving digital information.

Ensure data backups are done based on business importance and kept for future recovery needs.

Backups should be restored regularly to ensure data can be retrieved in case of a disaster.

Machines destroy microfiche by turning them into fine powder so no more than five characters remain

Ensure appropriate screening and security clearance for gateway admins based on system sensitivity.

Ensure data flows are separated by breaking protocols at each network level for security.

CDSs have independent security controls for data going both up and down between networks.

Every three months, security events are reviewed to ensure CDS are working correctly and follow data

Content filters need thorough testing to make sure they work properly and can't be bypassed.

System owners must register their systems with the designated authorising officer for oversight.

System owners work with officers to set system boundaries and objectives based on potential impact i

Firewalls are installed to separate the organisation's networks from the public internet, enhancing

For SECRET or TOP SECRET services, only community or private clouds should be used to ensure securit

Keep classified IT equipment in secure containers based on their classification and location's secur

Do not use VLANs to separate internal networks from the public internet.

Create and maintain policies to manage and control mobile devices within the organisation.

Procedures are set to stop sensitive data from being sent to foreign systems that aren't suitable.

Ensure processes are in place to block export of sensitive data to foreign systems.

Ensure Microsoft Office is set to block the use of OLE packages for added security.

Keep track of important activities in databases, like access, changes, and issues, to ensure securit

Ensure emails from your domains are legitimate by rejecting ones that fail DMARC checks.

Microsoft Office is set to block OLE, a feature that could pose security risks.

Maintain a register of RF and IR devices for secure areas to ensure authorised use.

Organisations must use Microsoft's blocklist to stop unauthorised applications from running.

Verify user identities before they can access any system.

Ensure data backup processes and procedures are created, used, and kept up to date.

Organisations must create and keep updated processes for restoring data.

Create and update a policy to manage media handling effectively.

Ensure IT equipment is disposed of properly by following established procedures.

Organisations must create and sustain a policy for managing IT equipment.

Ensure all web content is delivered over a secure HTTPS connection.

TLS connections should not use compression to prevent security risks.

Use specific work devices and avoid personal phones when going to high-risk countries.

Before travelling overseas, ensure mobile devices are recorded, updated, reduced to essentials, and

Reset credentials and watch for suspicious account activity after travel to high-risk areas.

Passwords for SECRET systems must be at least 17 characters long to enhance security.

Passwords must not use predictable sequences, like quotes or sentences, and must meet minimum word c

Passwords for secure systems should have at least 6 characters to enhance security.

Passwords for SECRET systems using multi-factor authentication must be at least 8 characters.

TOP SECRET systems must use passwords of at least 10 characters for added security.

Ensure video and IP telephony systems are secured against threats.

Create a report detailing the scope, weaknesses, risks, and controls of a system after assessment.

After assessing security, system owners create a plan to address and resolve issues.

Privileged users receive yearly customised cyber security training.

System logs keep track of unprivileged user actions to monitor access and security.

Suppliers considered high risk are not chosen to ensure the security of the supply chain.

Buy IT and OT products only from suppliers who show they care about product security.

Create, write down and share a shared responsibility model so suppliers and customers each know whic

Cloud service providers must undergo an IRAP review at least every 24 months.

Contracts with service providers must include clauses that allow security compliance checks.

Ensure service contracts specify data regions and notify configuration changes ahead of time.

Ensure contracts specify how organisations can access logs about their data from service providers.

Ensure service contracts cover data portability for backups, migration, and decommissioning.

Service contracts require a one-month notice before a provider can stop services.

Service providers must alert organisations if they access systems without permission.

Ensure that an organisation's network is kept separate from its service providers' networks for bett

Cloud services must be able to scale resources quickly to handle sudden increases in demand.

Online services should switch easily between zones to maintain availability.

Organisations monitor online services to ensure they can handle traffic and remain available at all

Check and approve application control rules once a year to ensure they are effective.

Ensure contractors are labelled distinctively from other personnel in systems.

Ensure non-admin users cannot change or disable security settings on operating systems.

Users cannot modify web browser security settings to ensure consistent protection.

Keep logs to track every time data is transferred into or out of the system.

System owners must annually report each system's security status to an authorising officer.

Standard Operating Environments must be reviewed and updated once every year.

Ensure email is encrypted during transfer between servers to enhance security.

Change user account credentials if they're compromised or potentially insecure.

Remove or pause access immediately if someone is found doing harmful activities on the system.

Regular users cannot install apps unless they are approved, keeping systems secure.

Users need to show proof of who they are before getting new login details.

Credentials are securely delivered to users, or split between users and supervisors if secure delive

Users must change their initial passwords the first time they log in to enhance security.

Users should not use the same passwords on different systems for better security.

Passwords and personal credentials are hidden when entered in systems to enhance security.

After maintenance, check IT equipment to ensure no unapproved changes were made.

Ensure IT equipment is handled based on how sensitive or classified it is.

Before using any media, clean it to ensure no unwanted data is present.

Apply Microsoft's rules to reduce potential weaknesses in user applications.

Make sure all stakeholders are informed about cyber security documents and their updates.

Turn off login methods that can be tricked into accepting false entries.

A software-based isolation mechanism is software (such as a hypervisor or container engine) that let

When you run a software-based isolation mechanism (software that separates different workloads, such

When you run a software-based isolation mechanism that shares the same physical computing resources

Ensure shared resources have integrity monitoring and logging for safety and transparency.

Third-party standard operating environments must be checked for viruses and bad configurations.

System owners must be asked before allowing intrusions to persist for collecting evidence.

Ensure emergency access to IT systems is documented and tested during major IT changes.

Break glass accounts should be used only if normal login methods fail.

Use special accounts only for approved emergency activities to maintain system security.

Logging is used to track and monitor the use of emergency access accounts.

Change break glass account passwords after emergency access.

Ensure emergency accounts work properly after changing their passwords.

Create a program to find and fix software issues to keep products secure.

The CISO ensures the cyber security program stays relevant to combat threats and seize opportunities

The CISO is responsible for managing the organisation's reactions to cyber security threats.

Ensure service accounts are created as Managed Service Accounts for improved security.

Privileged user accounts must belong to a special security group for extra protection.

Ensure the outdated PowerShell 2.0 is disabled or uninstalled for security.

PowerShell should be setup to limit script execution and mitigate potential risks.

Ensure PowerShell actions and logs are collected in a central place for monitoring.

PowerShell logs are safeguarded by secure event logging that ensures their protection.

Create and manage a program to address threats from within the organisation.

Get legal advice when making and applying plans to handle insider threats.

Block connections from anonymous networks to keep the organisation's network secure.

Ensure outbound connections to anonymous networks are blocked for security.

Use NIST guidelines to choose secure parameters for Diffie-Hellman encryption to safely agree on ses

Ensure all suppliers linked to IT and OT systems are identified for security management.

Buy technology from suppliers known for keeping their systems secure.

System owners, in consultation with each system's authorising officer, determine the system boundary

System owners, in consultation with each system's authorising officer, select controls for each syst

System owners must apply security measures to safeguard each system and its environment.

System owners ensure security checks for specific systems to verify proper setup and operation.

Keep an up-to-date register of cloud services used, and regularly check it.

Keep a detailed list of cloud services used, including provider details, service purpose, and securi

Label cables with purpose clearly at intervals to ensure easy identification.

Ensure all cables from foreign systems in Australia are labelled at check points.

After using a degausser, damage internal components of magnetic media to prevent data recovery.

Clean media thoroughly before using it in a new security area to prevent data leaks.

Keep a record of software versions and update histories for system security.

Avoid discussing sensitive topics on mobile phones in public to prevent eavesdropping.

Regularly update and review floor plans to ensure they are accurate and current.

Floor plans should show cable paths, conduit systems, and key network component locations.

Privileged system access is disabled if not revalidated within a year.

Access with special privileges is disabled if not used for 45 days to enhance system security.

Use just-in-time methods to manage who can access system resources, ensuring enhanced security.

Keep track of changes to privileged user accounts by logging them in one central place.

Ensure Internet Explorer 11 is not used to enhance system security.

.NET Framework 3.5 should be turned off or uninstalled for security reasons.

Ensure servers not connected to the internet have application control for security.

Only approved software and scripts can run, enhancing system security.

Ensures only approved drivers are run on systems, enhancing security.

Use Microsoft's list to stop harmful drivers from running on systems.

All application events, whether allowed or blocked, must be recorded centrally.

Microsoft Office is configured to prevent it from starting other programs or processes.

Microsoft Office is set to not produce executable files to enhance security.

Microsoft Office is configured to not insert code into other programs for security reasons.

PDF software can't start other programs, stopping potential security threats.

Microsoft Office macros are turned off unless users have a proven need for them.

Ensure Microsoft Office is set to scan macros for viruses to protect against malware.

Microsoft Office macros cannot make direct calls to Windows APIs.

Only safe Microsoft Office macros are allowed to run, using security measures like sandboxing or tru

Macros from untrusted sources in Microsoft Office can't be enabled through standard interfaces.

Check the list of trusted publishers in Microsoft Office at least once a year so only approved softw

Use multiple verification steps for accessing external services with sensitive data.

Users must use multi-factor authentication for online services handling non-sensitive data.

Customers must use multi-factor authentication when accessing sensitive online services.

Multi-factor authentication protects systems by not relying solely on passwords, reducing phishing r

Multi-factor authentication attempts, whether they succeed or not, are logged together in a central

Ensure passwords for high-risk accounts are strong, unique, and properly managed.

Credential Guard is activated to better protect user credentials from unauthorised access.

Privileged environments must not be virtualised within non-privileged ones to ensure security.

Users without privileges cannot access systems meant for privileged users.

Privileged users aren't allowed to log into standard environments to ensure security.

Apply non-critical patches to online services within two weeks to prevent unexploited vulnerabilitie

Apply patches to major software tools like browsers and email clients within two weeks to prevent vu

Apply crucial software patches within 48 hours to prevent security breaches from known vulnerabiliti

Apply updates to non-generic software within a month to keep systems secure.

Apply patches for non-critical vulnerabilities on internet-facing devices within two weeks if no kno

Ensure non-internet-facing systems are updated within a month to protect against known vulnerabiliti

Apply critical security patches to certain systems within 48 hours to prevent exploits.

Apply updates for driver vulnerabilities within a month if they are non-critical and have no known e

Online services are checked daily for missing updates to prevent vulnerabilities.

Every week, a scanner checks for software updates to fix security issues in commonly used applicatio

A scanner is used every two weeks to find missing updates in most applications.

Use a daily scanner to find missing security updates on internet-facing systems to keep them secure.

Regular checks detect missing updates on devices to fix security gaps.

A scanner checks every two weeks to find missing security patches for drivers.

Unsupported software like browsers, productivity tools, and security apps should be removed to maint

Only backup administrators can access backups; other privileged users cannot access backups of diffe

Privileged users cannot access their own data backups; only backup administrators can.

Only backup admins can modify or delete backups; others are restricted.

Backup administrators cannot change or delete backups until the retention period ends.

Ensure wireless access points are secured by updating default settings for enhanced protection.

Use available methods to keep user identities private when using EAP-TLS for wireless network authen

802.11r is disabled unless secured by approved cryptographic protocol.

Ensure a register for tracking removable media is created, kept up-to-date, and routinely checked.

Ensure a 'security.txt' file is available on each website to aid in reporting vulnerabilities.

SECRET cables are identified by their salmon pink colour.