Security Measures for Manual Data Export
Check signatures and keywords when exporting data at SECRET or TOP SECRET levels.
Plain language
When you're moving data manually from computer systems marked as SECRET or TOP SECRET, it's crucial to make sure that the data hasn't been tampered with and doesn't contain anything it shouldn't. This matters because mishandling such sensitive information can lead to severe security breaches, potentially exposing critical secrets that could harm national interests or your organisation's reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 May 2026
E8 maturity levels
N/A
Official control statement
When manually exporting data from SECRET and TOP SECRET systems, digital signatures are validated and keyword checks are performed within all textual data.
Why it matters
Failure to validate signatures or keywords can lead to data leaks or tampered information, endangering national security and damaging organisational trust.
Operational notes
Before manual exports from SECRET/TOP SECRET, validate digital signatures and run keyword checks across all text, and review/update keyword lists and signature trust stores.
Implementation tips
- IT team should verify digital signatures: Before exporting any data, the IT team needs to check the digital signatures on documents to confirm authenticity. Use digital signature verification software to ensure the data hasn't been altered.
- System administrator should set up keyword filtering: The system admin should program software to scan for specific keywords before data can be exported. This can be done by configuring data loss prevention tools to flag and block sensitive terms.
- Data handlers must undergo training: All staff involved in data handling should receive training on identifying digital signatures and using keyword-checking tools. Conduct annual workshops explaining why these processes are vital and how to effectively execute them.
- Managers should enforce export protocols: Managers need to ensure there's a clear procedure for data export that includes digital and keyword checks. Draft a protocol document, outlining steps and assign responsibility for each stage of the process.
- Compliance officer should regularly review practices: A compliance officer should regularly review data export processes to ensure adherence to protocols. Conduct quarterly audits and update processes based on new threats or technological changes.
Audit / evidence tips
- AskDigital signature verification logs: Request logs showing the digital signatures of files exported GoodWould be logs showing all files with valid signatures and no anomalies
- AskKeyword detection reports: Request records of keyword scanning reports for exported data GoodWould include timely intervention in export attempts that included flagged keywords
- AskTo see the training schedule and attendance records: Get the training schedule for relevant staff and attendance sheets GoodResult would include an up-to-date training roster with signatures or digital confirmations of attendance
- AskThe data export protocol document: Request the official document outlining the export process GoodWould be a comprehensive document, reviewed and signed by senior management
- AskAudit and review records: Request records of any internal audits or reviews conducted on data export practices GoodWould show regular reviews, action taken on past recommendations, and an improved compliance track record
Cross-framework mappings
How ISM-0669 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.12 | Annex A 8.12 requires organisations to apply DLP measures across systems, networks, and devices processing sensitive information | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.