Using HACE for Secure Communication of Data
Use HACE to secure SECRET and TOP SECRET data on less secure networks.
Plain language
Imagine you're sending a super important letter through the post. You wouldn't want just anyone to read it, right? This control makes sure that when you send important digital data, it stays private and only the right people can see it, even if it travels along a less secure or public route. Without these measures, your sensitive information could be intercepted and misused, leading to potential financial or reputational harm.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Aug 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographySection
Cryptographic fundamentalsOfficial control statement
HACE is used to protect SECRET and TOP SECRET data when communicated over insufficiently secure networks, outside of appropriately secure areas or via public network infrastructure.
Why it matters
If HACE is not used, SECRET/TOP SECRET data sent over public or insufficiently secure networks can be intercepted and compromised.
Operational notes
Confirm HACE is enabled for all SECRET/TOP SECRET communications over public/insufficient networks, and regularly validate keys, configs and compliance.
Implementation tips
- The IT team should make sure that they encrypt sensitive data before sending it over public or less secure networks. Encryption transforms the data into unreadable code that only the intended receiver can interpret. Use tools recommended by the Australian Cyber Security Centre (ACSC) to ensure effective encryption.
- Managers need to train staff on the importance of secure data communication. Arrange workshops that explain how to identify sensitive information and the steps needed to protect it using secure methods. Ensure all team members know who to contact if they suspect a breach.
- The procurement department should source and implement communication tools that support strong encryption. This means choosing software that includes end-to-end encryption capabilities for emails and file transfers. Consult with cybersecurity experts to vet available software options for compliance with best practices.
- Business owners or head decision-makers should create a policy for securely sharing sensitive information. Draft a clear policy document that outlines what types of information need securing and the approved methods for transmission. Regularly review and update the policy to include new threats and technologies.
- The systems administrator should regularly update encryption protocols and tools. Set a schedule to check for and install updates from software vendors that enhance encryption effectiveness. Staying current with updates helps protect against new vulnerabilities.
Audit / evidence tips
- AskThe list of data types considered sensitive: Request a document that categorises information levels from regular to TOP SECRET GoodShows a comprehensive list aligned with business operations and risks
- GoodIncludes consistent training records with confirmation of understanding
- AskThe policy on encryption tools and methods: Request the documented policy that explains when and how encrypted communication must occur GoodIs a detailed, current policy regularly reviewed and approved by management
- AskDocumentation on how communication tools were evaluated and selected GoodShould show a clear evaluation process in line with cybersecurity standards
- AskRecords of encryption updates: Request logs or reports detailing when encryption tools and protocols were last updated GoodIs a consistent record showing timely updates ensuring security
Cross-framework mappings
How ISM-0467 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-0467 mandates HACE for SECRET and TOP SECRET data in transit over insecure networks | |
| handshake Supports (3) expand_less | ||
| Annex A 5.14 | ISM-0467 requires HACE to be used to protect SECRET and TOP SECRET data communicated over insecure networks, public infrastructure, or ou... | |
| Annex A 6.7 | ISM-0467 requires HACE for SECRET and TOP SECRET data communicated outside secure areas | |
| Annex A 8.20 | ISM-0467 requires HACE for SECRET and TOP SECRET data on insecure networks | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.