ASD Information Security Manual (ISM)

ISM-0181

Ensure Cabling Meets Australian Standards

ISM-0187

Exclusive Secret Cable Bundling in Infrastructure

ISM-0194

Sealing Conduit Joints in Shared Facilities

ISM-0195

Seal Removable Covers on TOP SECRET Cables

ISM-0198

Consultation for Penetrating Audio Secure Rooms

ISM-0201

Labelling Requirements for TOP SECRET Conduits

ISM-0206

Develop and Maintain Cable Labelling Processes

ISM-0208

Maintain a Comprehensive Cable Register

ISM-0211

Regular Maintenance of a Cable Register

ISM-0213

Segregate Patch Panels for Secret-Level Cables

ISM-0216

Ensure Separate Cabinets for TOP SECRET Patch Panels

ISM-0217

Secure Separation of Non-TOP SECRET and TOP SECRET Panels

ISM-0218

Label and Protect Long TS Fibre-Optic Leads

ISM-0246

Early Emanation Threat Assessment in System Lifecycle

ISM-0249

Contact ASD for Emanation Threat Assessments

ISM-0250

Ensure IT Equipment Meets EMI/EMC Standards

ISM-0926

Ensure Cables Are Not Salmon Pink or Red

ISM-1095

Proper Labelling of Wall Outlet Boxes

ISM-1096

Ensure Proper Labelling of Cables for Identification

ISM-1098

Terminate Cable Systems at Cabinet Boundaries

ISM-1100

Terminating TOP SECRET Cables in Cabinets

ISM-1101

Terminate Cabling Closely in Top Secret Areas

ISM-1102

Terminate Cable Reticulation Close to Cabinet

ISM-1103

Terminate Cables Outside Cabinets in Secure Areas

ISM-1105

Ensure Wall Outlets Have Appropriate Cable Security

ISM-1107

Colour Restrictions for Wall Outlet Boxes

ISM-1109

Ensure Clear Plastic Covers for Wall Outlets

ISM-1111

Ensure Fibre-Optic Cables Replace Copper Cables

ISM-1112

Ensure Cables Are Inspectable Every Five Metres

ISM-1114

Ensure Separation in Cable Reticulation Systems

ISM-1115

Ensure Cables Use Conduits in Walls

ISM-1116

Ensure Separation Between Top Secret and Other Cabinets

ISM-1119

Ensure Cables in TOP SECRET Areas are Inspectable

ISM-1122

Secure TOP SECRET Cable Wall Exits

ISM-1123

Ensure UPS Powers All Top Secret IT Equipment

ISM-1130

Use Enclosed Systems for Shared Facility Cables

ISM-1133

Prevent Installation of TOP SECRET Cables in Shared Walls

ISM-1137

Contact ASD for Emanation Threat Assessment

ISM-1164

Use Clear Plastic for Shared Facility Cabling Covers

ISM-1216

Ensure Correct Labelling of Non-conformant Cables

ISM-1639

Label Building Management Cables Clearly

ISM-1640

Label Cables for Foreign Systems in Australia

ISM-1645

Maintain and Verify Floor Plan Diagrams Regularly

ISM-1646

Detail Cabling Paths and Points on Floor Plans

ISM-1718

Colour Code for SECRET Cables

ISM-1719

Color Code for TOP SECRET Cables

ISM-1720

Colour Coding for Secret Wall Outlet Boxes

ISM-1721

Red Colour Coding for TOP SECRET Outlet Boxes

ISM-1820

Ensure Consistent Cable Colours for Systems

ISM-1821

Ensuring Exclusive Bundling for TOP SECRET Cables

ISM-1822

Standardised Colour for Wall Outlet Boxes

ISM-1884

Ensure Compliance with Emanation Security Doctrine

ISM-1885

Implement TEMPEST Measures for System Security

ISM-0229

Guidelines for Discussing Sensitive Information Over Phones

ISM-0230

Advising on Risks of Non-Secure Telephone Systems

ISM-0231

Visual Indication for Secure Telephone Connections

ISM-0232

Encrypt External Traffic for Sensitive Calls

ISM-0233

Ensure Encryption for Sensitive Cordless Communications

ISM-0235

Use of Speakerphones in TOP SECRET Areas

ISM-0236

Implement Off-hook Audio Protection on Telephones

ISM-0245

Prevent MFD Connections to Digital Phone Systems

ISM-0546

Use Video and Voice-Aware Firewalls at Gateways

ISM-0547

Secure Protocols for Video and IP Telephony

ISM-0548

Ensure Secure Protocols for Video and IP Calls

ISM-0549

Separate Video Call Traffic from Other Data

ISM-0551

Ensure Secure IP Telephony Device Authentication

ISM-0553

Authenticate Video Calls and Manage Settings

ISM-0554

Secure Two-Way Authentication for Video Calls

ISM-0555

Ensure Authentication for IP Telephony Actions

ISM-0556

Ensure Traffic Separation for Video Conferencing and Telephony

ISM-0558

Restrict IP Phone Network Access in Public Areas

ISM-0559

Restrict Microphone and Webcam Use in SECRET Areas

ISM-0588

Develop and Maintain MFD Usage Policy

ISM-0589

Limit Document Sensitivity on MFDs Based on Network Classification

ISM-0590

Ensure Strong Authentication for Multi-Function Devices

ISM-0931

Off-hook Audio Protection Using Push-to-Talk Devices

ISM-1014

Implement Individual Logins for Secure IP Phone Use

ISM-1019

Develop a Denial of Service Response Plan

ISM-1036

Locating Multifunction Devices for Oversight

ISM-1078

Develop and Maintain Telephone System Usage Policy

ISM-1450

Restricting Devices in Top Secret Areas

ISM-1562

Secure Video Conferencing and Telephony Systems

ISM-1805

Develop a Denial of Service Response Plan

ISM-1854

Require User Authentication for Multifunction Devices

ISM-1855

Central Logging of Multifunction Device Use

ISM-2075

Prohibit the Use of Fax Machines for Messages

ISM-0142

Report Cryptographic Equipment Compromises Promptly

ISM-0455

Enable Data Recovery for Encrypted Data

ISM-0457

Use Evaluated Crypto for Sensitive Data Encryption

ISM-0459

Implement Full or Partial Disk Encryption for Data Protection

ISM-0460

Use HACE for Encrypting Sensitive Media

ISM-0462

Managing Encryption Access for IT Equipment and Media

ISM-0465

Use Evaluated Cryptographic Tools for Sensitive Data

ISM-0467

Using HACE for Secure Communication of Data

ISM-0469

Protect Data with ASD-Approved Cryptographic Protocols

ISM-0471

Use Only High Assurance Cryptographic Algorithms

ISM-0472

Using Proper Modulus Size for Diffie-Hellman Keys

ISM-0474

Using Secure Elliptic Curve Diffie-Hellman Encryption

ISM-0475

Use P-384 Curve for Secure Digital Signatures

ISM-0476

Ensuring Strong RSA Modulus for Digital Security

ISM-0477

Separate RSA Key Pairs for Different Functions

ISM-0479

Avoid Using ECB Mode for Symmetric Encryption

ISM-0481

Ensure Use of High Assurance Cryptographic Protocols

ISM-0484

Configure SSH for Enhanced Security

ISM-0485

Use Public Key Authentication for SSH Access

ISM-0487

Disable Certain Features for Passwordless SSH Logins

ISM-0488

Use Forced Commands for SSH Without Passwords

ISM-0489

SSH-Agent Key Expiry and Screen Lock Requirements

ISM-0490

Ensure S/MIME 3.0 or Later is Used

ISM-0494

Use of IPsec Tunnel and Transport Modes

ISM-0496

Use ESP Protocol for Secure IPsec Connections

ISM-0498

Ensure Short Lifetimes for IPsec Associations

ISM-0499

Ensure Compliance with ASD Communication Security Policies

ISM-0501

Transport of Keyed Cryptographic Equipment

ISM-0507

Develop and Maintain Cryptographic Key Management Processes

ISM-0994

Use ECDH for Secure Key Exchanges

ISM-0998

Using Integrity Algorithms for IPsec Connections

ISM-0999

Use DH or ECDH for Secure Key Establishment

ISM-1000

Utilising Perfect Forward Secrecy for IPsec

ISM-1080

Use Approved Encryption for Data at Rest

ISM-1091

Change Keying Material When Compromised

ISM-1139

Require Latest Version of TLS for Security

ISM-1233

Use IKE Version 2 for IPsec Key Exchange

ISM-1369

Ensure TLS Connections Use AES-GCM Encryption

ISM-1370

Ensure Only Server-Initiated TLS Renegotiation

ISM-1372

Secure Key Establishment Using DH or ECDH in TLS

ISM-1373

Ensure TLS Connections do not use Anonymous DH

ISM-1374

Use SHA-2 Certificates for Secure TLS Connections

ISM-1375

Use SHA-2 for Secure TLS Connections

ISM-1446

Use Approved Elliptic Curves for Encryption

ISM-1448

Use Ephemeral DH or ECDH for TLS Key Establishment

ISM-1449

Protect SSH Private Keys with Passwords or Encryption

ISM-1453

Ensure PFS is Enabled for TLS Connections

ISM-1506

Disable SSH Version 1 for Security

ISM-1553

Disable TLS Compression for Security

ISM-1629

Select Correct Modulus for Diffie-Hellman Encryption

ISM-1759

Ensure Strong Encryption with Diffie-Hellman

ISM-1761

Use NIST Curves for ECDH Encryption

ISM-1762

Use NIST P-384 Curve for ECDH Keys

ISM-1763

Use NIST P-384 Curve for ECDSA Signatures

ISM-1764

Use NIST P-384 Curve for ECDSA Signatures

ISM-1765

Use RSA with 3072-bit Modulus for Security

ISM-1766

Ensure Secure Hashing with SHA-2 Algorithm

ISM-1767

Use SHA-2 with Minimum 256-bit Output

ISM-1768

Use Appropriate SHA-2 Output Size for Hashing

ISM-1769

Using AES Encryption with Strong Key Lengths

ISM-1770

Utilise Strong AES Encryption Algorithms

ISM-1771

Use AES Encryption for IPsec Connections

ISM-1772

Use Secure Pseudorandom Functions for IPsec Connections

ISM-1802

Operate Approved High Assurance Cryptographic Equipment

ISM-1917

Support Post-Quantum Cryptographic Algorithms by 2030

ISM-1990

Adhering to Recommended FIPS Publications for ML-DSA and ML-KEM

ISM-1991

Implement ML-DSA for Enhanced Digital Signature Security

ISM-1992

Using Hedged Variant of ML-DSA for Digital Signatures

ISM-1993

Use Pre-Hashed ML-DSA Variants Only When Necessary

ISM-1994

Use Correct Hashing for ML-DSA Pre-hashed Variants

ISM-1995

Use ML-KEM for Secure Key Encapsulation

ISM-1996

Using Hybrid Schemes for Secure Encryption

ISM-2073

Develop a Post-Quantum Cryptography Transition Plan

ISM-0039

Develop and Maintain a Cyber Security Strategy

ISM-0041

Develop a Detailed System Security Plan

ISM-0043

Develop Cyber Security Incident Response Plans

ISM-0047

Approval Process for Cyber Security Documentation

ISM-0888

Annual Review of Cyber Security Documentation

ISM-0912

Establish and Manage System Configuration Changes

ISM-1163

Regular System Vulnerability Scanning and Testing

ISM-1563

Generate Comprehensive Security Assessment Reports

ISM-1564

Develop Plan of Action Post Security Assessment

ISM-1602

Ensure Cyber Security Docs Are Communicated

ISM-1739

Approve Security Architecture Before System Development

ISM-0120

Ensure Cyber Security Personnel Have Necessary Tools

ISM-0123

Report Cyber Security Incidents Promptly

ISM-0125

Maintaining a Cyber Security Incident Register

ISM-0133

Responding to Data Spills by Restricting Access

ISM-0137

Seek Legal Advice for Intrusion Evidence Collection

ISM-0138

Ensure Integrity of Evidence in Investigations

ISM-0140

Prompt Reporting of Cyber Incidents to ASD

ISM-0576

Develop and Maintain Cyber Security Incident Plans

ISM-0917

Procedures for Handling Malicious Code Infections

ISM-1213

Analyse Network Traffic Post-Intrusion Remediation

ISM-1609

Consult System Owners Before Continuing Intrusions

ISM-1625

Develop Insider Threat Mitigation Programs

ISM-1626

Seek Legal Advice for Insider Threat Plans

ISM-1731

Coordinate Intrusion Remediation on Separate Systems

ISM-1732

Coordinated Intrusion Remediation During Planned Outages

ISM-1784

Annual Testing of Cyber Incident Response Plan

ISM-1803

Document and Report Cyber Security Incidents

ISM-1819

Enact Cyber Security Incident Response Plans

ISM-1880

Timely Reporting of Cyber Incidents Involving Customer Data

ISM-1881

Timely Reporting of Cyber Incidents Without Data Breach

ISM-1969

Preventing Accidental Execution of Malicious Code

ISM-1970

Use Dedicated Environments for Malicious Code Analysis

ISM-0009

Identify Supplementary Controls for System Security

ISM-0027

Australian National Control of Sensitive Data Systems

ISM-0714

Appointment of CISO for Cyber Security Leadership

ISM-0717

CISO Oversight of Cyber Security Personnel

ISM-0718

CISO Reporting to Board on Cyber Security

ISM-0720

Develop and Maintain a Cyber Security Communication Strategy

ISM-0724

Implement Cyber Security Metrics and KPIs

ISM-0725

Coordinate Cyber Security Steering Committees

ISM-0726

Coordinate Security Risk Management Activities

ISM-0731

CISO Oversight of Cyber Supply Chain Risks

ISM-0732

Manage and Allocate Cyber Security Budget

ISM-0733

Ensure CISO Awareness of Cyber Incidents

ISM-0734

CISO Role in Disaster Recovery Planning

ISM-0735

Secure Facilities for Classified Systems

ISM-1071

Assign System Ownership for Better Oversight

ISM-1203

Risk Assessment for System Security

ISM-1478

CISO Management of Cyber Security Compliance

ISM-1525

Register Systems with Authorising Officers

ISM-1526

Monitor Systems and Assess Security Threats

ISM-1587

Annual Security Status Reporting for Systems

ISM-1617

Regular Review of Cyber Security Program

ISM-1618

CISO's Role in Cyber Security Incident Response

ISM-1633

Determine System Boundary and Security Objectives

ISM-1634

Select and Tailor System Security Controls

ISM-1635

Ensure Security Controls for System Environments

ISM-1636

Security Assessment for System Controls

ISM-1918

Regular Cyber Security Reporting to Audit Committee

ISM-1966

Register Management of Organisational Systems

ISM-1967

Ensure Security Assessment of TOP SECRET Systems

ISM-1968

Authorization for Operating High-Security Systems

ISM-1997

Define Cyber Security Roles for Leadership

ISM-1998

Integrate Cyber Security Across Business Functions

ISM-1999

Align Cyber Security with Business Strategy

ISM-2000

Regular Cyber Security Briefings for Executives

ISM-2001

Championing Cyber Security at an Executive Level

ISM-2002

Ensure Board Cyber Security Literacy for Compliance

ISM-2003

Monitor Cyber Security Workforce and Skill Gaps

ISM-2004

Enhancing Cyber Security Skills and Experience

ISM-2005

Understand Critical Systems and Their Security

ISM-2006

Executive Planning for Cyber Incident Preparedness

ISM-2020

Ensure Adequate Cyber Security Personnel Are Acquired

ISM-2021

Implement and Maintain Data Minimisation Practices

ISM-0657

Scanning Data for Threats Before Manual Import

ISM-0660

Monthly Verification of Data Transfer Logs for SECRET Systems

ISM-0661

User Accountability for Data Transfers

ISM-0663

Develop and Maintain Data Transfer Procedures

ISM-0664

Authorisation of Secret Data Exports

ISM-0665

Verification Required for Exporting Secret Data

ISM-0669

Security Measures for Manual Data Export

ISM-0675

Ensure Data Exports are Digitally Signed

ISM-1187

Check Data for Improper Markings Before Export

ISM-1294

Partial Monthly Verification of Data Transfer Logs

ISM-1535

Prevent Unsuitable Foreign Data Exports

ISM-1586

Record All Data Imports and Exports

ISM-1778

Quarantine Security-Noncompliant Data for Review

ISM-1779

Quarantine Data Failing Security Checks During Manual Export

ISM-0393

Classify Databases Based on Data Sensitivity

ISM-1243

Develop and Maintain a Database Register

ISM-1255

Restrict Database User Access Based on Duties

ISM-1256

Implement File-Based Access Controls for Databases

ISM-1268

Enforce Need-to-Know Access in Databases

ISM-1269

Ensure Databases and Web Servers are Separated

ISM-1270

Separate Network Segments for Database Servers

ISM-1271

Restrict Network Access to Database Servers

ISM-1272

Restrict Database Server Network Access to Localhost

ISM-1273

Segregate Environments for Database Servers

ISM-1274

Ensure Non-Production Databases Match Production Security

ISM-1277

Encrypt Data Between Database and Web Servers

ISM-1537

Log Security-Relevant Database Events Centrally

ISM-0264

Develop and Maintain an Email Usage Policy

ISM-0267

Blocking Access to Unapproved Webmail Services

ISM-0269

Restrict Sensitive Emails to Verified Recipients

ISM-0270

Apply Protective Markings to Emails Based on Sensitivity

ISM-0271

Prevent Automatic Email Marking by Protective Tools

ISM-0272

Prevent Unauthorised Protective Marking Selection

ISM-0565

Email Security for Protective Markings

ISM-0567

Restrict Email Relay to Specific Domains

ISM-0569

Centralise Email Routing via Gateways

ISM-0570

Maintain Backup Email Gateways to Primary Standards

ISM-0571

Ensure Secure Email Transmission via Gateways

ISM-0572

Enable Opportunistic TLS for Email Server Encryption

ISM-0574

Use SPF to Authorise Email Servers

ISM-0861

Enable DKIM Signing for Organisational Emails

ISM-1023

Notify Parties of Blocked Emails

ISM-1024

Verify Senders for Email Failure Notifications

ISM-1026

Verification of DKIM Signatures on Incoming Emails

ISM-1027

Configure Email Distribution Lists to Preserve DKIM Signatures

ISM-1089

Prevent Lower Email Protective Marking Selection

ISM-1151

Verify Email Authenticity Using SPF

ISM-1183

Implement Hard Fail SPF Records for Email Security

ISM-1234

Protect Email Systems with Content Filtering

ISM-1502

Ensure Multi-factor Authentication for Online Services

ISM-1540

Configuring DMARC for Email Security

ISM-1589

Enable MTA-STS for Secure Email Transport

ISM-1799

Enforce Email Rejection for Failed DMARC Checks

ISM-0240

Prevent Sensitive Data in Messaging Services

ISM-0682

Disable Bluetooth on SECRET/TS Mobile Devices

ISM-0687

Use Approved Platforms for Secure Mobile Access

ISM-0694

Restrict Access of Private Devices to Secret Systems

ISM-0701

CISO Management of Cyber Security Personnel

ISM-0702

Using Cryptographic Sanitisation on Mobile Devices

ISM-0705

Disable Split Tunnelling for VPN Connections

ISM-0863

Prevent Installation of Unapproved Mobile Apps

ISM-0864

Prevent Modifications to Security Settings on Mobile Devices

ISM-0866

Ensure Privacy While Viewing Data in Public

ISM-0869

Encrypting Storage on Mobile Devices

ISM-0870

Secure Storage and Handling of Mobile Devices

ISM-0871

Supervise Mobile Devices During Active Use

ISM-0874

Use VPNs for Internet Access on Mobile and Computers

ISM-1082

Develop and Maintain Mobile Device Usage Policy

ISM-1083

Advise Personnel on Mobile Communication Sensitivity

ISM-1084

Transporting Mobile Devices Securely

ISM-1085

Ensure Mobile Devices Encrypt Data Communications

ISM-1088

Report Potential Compromises of Mobile Devices Overseas

ISM-1145

Apply Privacy Filters to Protect Device Screens

ISM-1195

Enforce Policy with Evaluated Mobile Device Management

ISM-1196

Keep Mobile Devices Undiscoverable via Bluetooth

ISM-1198

Secure Bluetooth Pairing for Mobile Devices

ISM-1199

Remove Unnecessary Bluetooth Pairings on Devices

ISM-1200

Secure Bluetooth Pairing for Mobile Devices

ISM-1297

Change Default Credentials on Network Devices

ISM-1298

Advise Personnel on Overseas Mobile Device Security

ISM-1299

Personnel Awareness for Secure Mobile Device Usage

ISM-1300

Mobile Device Security After Overseas Travel

ISM-1366

Ensure Timely Security Updates for Mobile Devices

ISM-1400

Enforce Data Separation on Personal Devices

ISM-1482

Ensure Separation of Classified and Personal Data

ISM-1533

Establish Mobile Device Management Policies

ISM-1554

Guidelines for Using Mobile Devices Abroad

ISM-1555

Prepare Mobile Devices Before Overseas Travel

ISM-1556

Security Measures After Overseas Travel with Mobile Devices

ISM-1644

Secure Communication Practices in Public Areas

ISM-1866

Prevent Storing Classified Data on Personal Devices

ISM-1867

Use Approved Mobile Platforms for Sensitive Access

ISM-1868

Restrictions on Mobile Device Removable Media

ISM-1886

Ensure Mobile Devices Operate in Supervised Mode

ISM-1887

Implement Remote Locate and Wipe for Mobile Security

ISM-1888

Ensure Secure Lock Screens on Mobile Devices

ISM-0280

Choose PP-evaluated Products Over EAL-based Ones

ISM-0285

Ensuring Evaluated Products Follow Delivery Procedures

ISM-0286

Consult ASD for High Assurance IT Delivery Procedures

ISM-0289

Implement and Manage Evaluated Products Correctly

ISM-0290

Secure Configuration of High Assurance IT Equipment

ISM-0100

Regular IRAP Assessment of Sensitive Gateways

ISM-0260

Ensure All Web Access Uses Proxies

ISM-0261

Log Web Proxy Activity for Security Analysis

ISM-0263

Inspect and Decrypt TLS Traffic through Gateways

ISM-0591

Use Evaluated Peripheral Switches Securely

ISM-0597

Consult ASD Before Changing CDS Connectivity

ISM-0610

Train Users on Secure Use of CDSs

ISM-0611

Restrict Privileges for Gateway Administrators

ISM-0612

Training for Gateway System Administrators

ISM-0613

Requirement for Gateway System Administrators Nationality

ISM-0616

Ensure Separation of Duties for Gateway Admins

ISM-0619

User Authentication for Network Gateway Access

ISM-0622

Ensuring Network Authentication via Gateways

ISM-0626

Implementing CDS for Secure Network Segmentation

ISM-0628

Implementing Secure Network Gateways

ISM-0629

Manage Gateways Between Different Security Domains

ISM-0631

Restrict Data Flows with Authorised Gateways

ISM-0634

Central Logging for Gateway Security Events

ISM-0635

Ensure Network Paths are Isolated in CDSs

ISM-0637

Implementing Demilitarised Zones in Gateways

ISM-0639

High Assurance Evaluation for Diode Gateways

ISM-0643

Use of Diodes for Unidirectional Gateway Security

ISM-0645

High Assurance Evaluation of Unidirectional Gateways

ISM-0649

Filter Gateway Files for Allowed Types

ISM-0651

Block Malicious or Uninspectable Files

ISM-0652

Quarantine Suspicious Files for Review

ISM-0659

Filtering Content of Gateway and CDS Files

ISM-0670

Central Logging of CDS Security Events

ISM-0677

Ensure File Integrity Through Signature Validation

ISM-0958

Implement Domain Name Allow and Block Lists

ISM-0961

Restrict Active Content with Web Filters

ISM-0963

Implementing Web Content Filters for Safety

ISM-1037

Regular Testing for Security of Gateways

ISM-1157

Use NSA-evaluated Degaussers for Media Destruction

ISM-1158

High Assurance Evaluation for Network Diodes

ISM-1171

Block Direct IP Access to Websites

ISM-1192

Inspecting and Filtering Data with Gateways

ISM-1236

Blocking Malicious and Anonymous Domain Names

ISM-1237

Implement Web Content Filters for Outbound Traffic

ISM-1284

Ensure Content Validation for Gateway Files

ISM-1286

Ensure Content Conversion at Gateways

ISM-1287

Ensure Gateway and CDS File Content Sanitisation

ISM-1288

Antivirus Scanning of Gateway Files

ISM-1289

Ensure Content Filtering of Archive Files at Gateways

ISM-1290

Controlled Unpacking of Archive Files for Filtering

ISM-1293

Decryption of Files for Content Filtering

ISM-1389

Analyse Executable Files in Sandboxes

ISM-1427

Prevent IP Source Address Spoofing in Gateways

ISM-1457

Evaluate Peripheral Switches for Security Domains

ISM-1480

Ensure High Assurance for Peripheral Switches

ISM-1520

Employment Screening for Gateway Administrators

ISM-1521

Use Protocol Breaks to Separate Network Layers

ISM-1522

Ensure CDSs Separate Upward and Downward Data Paths

ISM-1523

Regular Assessment of Security Events in CDS

ISM-1524

Ensure Rigorous Testing of Content Filters

ISM-1528

Utilising Evaluated Firewalls for Network Security

ISM-1773

Eligibility Criteria for Gateway System Administrators

ISM-1774

Secure Management Paths for Network Gateways

ISM-1783

Secure BGP with Valid ROA for IP Addresses

ISM-1862

Restrict Access and Conceal Web Server IP Addresses

ISM-1965

Content Checking for Imported or Exported Files

ISM-2018

Secure BGP Routing with RPKI-Registered IP Addresses

ISM-2019

Routine Security Assessments for TOP SECRET Gateways

ISM-0293

Classify IT Equipment by Data Sensitivity

ISM-0294

Label IT Equipment with Protective Markings

ISM-0296

Approval Required for High Assurance IT Equipment Labelling

ISM-0305

On-Site Maintenance by Cleared Technicians

ISM-0306

Escort Unauthorised Technicians for IT Repairs

ISM-0307

Ensure Proper Sanitisation Before IT Maintenance

ISM-0310

Ensure Off-site IT Repairs Are Conducted at Approved Facilities

ISM-0311

Ensuring Sanitisation of IT Equipment Media

ISM-0312

Return Overseas Equipment for Destruction

ISM-0313

Develop and Maintain IT Equipment Sanitisation Procedures

ISM-0315

Ensure Destruction of High Assurance IT Equipment

ISM-0316

Formal Decision on IT Equipment Disposal

ISM-0317

Ensuring Data Erasure on Printer Cartridges and Drums

ISM-0318

Safely Disposing of Unsanitised Printer Components

ISM-0321

Contact ASD for Guidance on Secure IT Disposal

ISM-0336

Maintain a Comprehensive IT Equipment Register

ISM-1076

Sanitising Screens with Image Burn-in

ISM-1079

Seek Approval for High Assurance IT Repairs

ISM-1217

Remove Identifying Labels from IT Equipment Before Disposal

ISM-1218

Sanitise Overseas IT Equipment Handling Sensitive Data

ISM-1219

Inspect and Destroy MFD Print Drums for Toner

ISM-1220

Inspect and Destroy Retained Images on Printer Platens

ISM-1221

Processes for Sanitising Memory in Network Devices

ISM-1222

Destroy Unsanitised Televisions and Monitors

ISM-1223

Methods for Sanitising Network Device Memory

ISM-1534

Prevent Inappropriate Export of Sensitive Data

ISM-1550

Develop and Maintain IT Equipment Disposal Procedures

ISM-1551

Develop and Maintain IT Equipment Management Policy

ISM-1598

Inspect IT Equipment Post-Maintenance for Unauthorised Changes

ISM-1599

Proper Handling of Sensitive IT Equipment

ISM-1741

Implement IT Equipment Destruction Procedures

ISM-1742

Destroy Un-sanitizable IT Equipment Safely

ISM-1858

Implement Strict IT Equipment Hardening Guidelines

ISM-1869

Maintain Non-Networked IT Equipment Register

ISM-1913

Develop and Maintain Approved IT Configurations

ISM-0323

Classifying Media by Data Sensitivity

ISM-0325

Reclassify Media to Higher Sensitivity

ISM-0330

Proper Sanitisation and Reclassification of Media

ISM-0332

Label Media with Sensitivity or Classification

ISM-0337

Ensure Media is Used with Authorised Systems

ISM-0347

Use Write-Once Media for Secure Data Transfers

ISM-0348

Develop and Maintain Media Sanitisation Procedures

ISM-0350

Destroy Unsanitizable Media Before Disposal

ISM-0351

Proper Method for Volatile Media Sanitisation

ISM-0352

Secure Volatile Media by Overwriting with Random Data

ISM-0354

Ensuring Proper Sanitisation of Magnetic Media

ISM-0356

Classify Magnetic Media After Sanitisation

ISM-0357

Sanitising Non-volatile EPROM Media

ISM-0358

Classification Retention for Sanitised EPROM and EEPROM

ISM-0359

Proper Sanitisation of Non-Volatile Flash Memory

ISM-0360

Classification Retention After Flash Memory Sanitisation

ISM-0361

Using Degaussers for Magnetic Media Destruction

ISM-0362

Follow Manufacturer's Directions for Degaussing

ISM-0363

Develop and Maintain Media Destruction Processes

ISM-0368

Ensuring Media Particles Are No Larger Than 9 mm

ISM-0370

Supervise Media Destruction with Cleared Personnel

ISM-0371

Ensure Proper Supervision of Media Destruction

ISM-0372

Supervision of Media Destruction Procedures

ISM-0373

Supervise and Certify Accountable Material Destruction

ISM-0374

Develop and Maintain Media Disposal Procedures

ISM-0375

Decide on Public Release of Data Storage Media

ISM-0378

Remove Labels from Media Before Disposal

ISM-0831

Ensure Proper Handling of Sensitive Media

ISM-0835

Classification Retention of Sanitised TOP SECRET Volatile Media

ISM-0836

Overwriting EEPROM for Complete Data Sanitisation

ISM-0839

Prohibit Outsourcing of Media Destruction

ISM-0840

Certified Services for Outsourced Media Destruction

ISM-0947

Sanitise Media After Data Transfers Between Domains

ISM-1059

Ensure All Data on Media is Encrypted

ISM-1065

Reset Device Settings Before Media Sanitisation

ISM-1067

Secure Erase for Non-Volatile Magnetic Media

ISM-1160

Use NSA-evaluated Degaussers for Media Destruction

ISM-1359

Establish and Maintain Removable Media Policy

ISM-1361

Use Approved Equipment for Media Destruction

ISM-1517

Microform Destruction Using Fine Powder Method

ISM-1549

Develop and Maintain Media Management Policy

ISM-1600

Ensure Media is Sanitised Before Initial Use

ISM-1641

Ensure Degaussed Media is Physically Damaged

ISM-1642

Ensure Media is Sanitised Before Reuse

ISM-1713

Maintain and Verify a Removable Media Register

ISM-1722

Methods for Destroying Electrostatic Memory Devices

ISM-1723

Methods for Destroying Magnetic Floppy Disks

ISM-1724

Methods for Destroying Magnetic Hard Disks

ISM-1725

Methods for Destroying Magnetic Tapes

ISM-1726

Methods for Destructing Optical Disks

ISM-1727

Methods for Destroying Semiconductor Memory

ISM-1728

Handling Media Waste Based on Particle Size

ISM-1729

Storage Classification of Media Waste Particles

ISM-1735

Destroy Unsanitised Media Before Disposal

ISM-0385

Ensure Servers Operate Independently Through Separation

ISM-0516

Comprehensive Network Diagrams for Critical Components

ISM-0518

Maintain Comprehensive Network Documentation

ISM-0520

Prevent Unauthorised Network Device Connections

ISM-0521

Disable Unused IPv6 on Dual-Stack Devices

ISM-0529

Avoid Using VLANs for Different Security Domains

ISM-0530

Administer VLANs from Trusted Security Domains

ISM-0534

Disable Unused Network Device Ports

ISM-0535

Prevent VLAN Trunk Sharing Across Security Domains

ISM-0536

Segregate Public Wireless Networks from Organisation Networks

ISM-1006

Prevent Unauthorised Access to Network Traffic

ISM-1013

Limit Wireless Range with RF Shielding

ISM-1028

Use NIDS/NIPS for Gateway Network Security

ISM-1030

Deploy NIDS/NIPS for Gateway Traffic Monitoring

ISM-1178

Limit Network Documentation for Third Parties

ISM-1181

Segregate Networks by Server Criticality

ISM-1182

Implement Network Traffic Control Measures

ISM-1186

Ensure IPv6 Network Security Appliances Are Used

ISM-1304

Secure Network Devices by Changing Default Credentials

ISM-1311

Prevent Use of Insecure SNMP Versions on Networks

ISM-1312

Changing Default SNMP Community Strings on Devices

ISM-1314

Ensure Wireless Devices are Wi-Fi Alliance Certified

ISM-1315

Disable Wireless Network Administrative Interfaces

ISM-1316

Ensure Default Wireless SSIDs Are Changed

ISM-1317

Secure Naming of Non-Public Wireless Networks

ISM-1318

Prevent SSID Broadcasting on Access Points

ISM-1319

Avoid Static IP Addressing on Wireless Networks

ISM-1320

Avoid Using MAC Filtering for Wireless Access Control

ISM-1321

Implement EAP-TLS for Secure Wireless Authentication

ISM-1322

Assessing 802.1X Components in Wireless Networks

ISM-1323

Requiring Certificates for Wireless Network Access

ISM-1324

Certificate Generation for Secure Authentication

ISM-1327

Secure Certificates for Network Authentication

ISM-1330

Limit PMK Caching Duration on Wireless Networks

ISM-1332

Ensure Wireless Traffic is Secure with WPA3-Enterprise

ISM-1334

Ensure Frequency Separation in Wireless Networks

ISM-1335

Enabling 802.11w to Protect Wireless Management Frames

ISM-1338

Use Lower-Powered Wireless Access Points for Coverage

ISM-1364

Separate VLANs by Security Domains

ISM-1428

Disable IPv6 Tunnelling Unless Necessary

ISM-1429

Block IPv6 Tunnelling at Network Boundaries

ISM-1430

Configure IPv6 Addresses with DHCPv6 in Stateful Mode

ISM-1431

Strategies for Mitigating Denial-of-Service Attacks

ISM-1432

Protect Online Services from Domain Hijacking

ISM-1436

Segregate Critical Services to Prevent DoS Attacks

ISM-1437

Utilising Cloud Providers for Hosting Online Services

ISM-1438

Ensure High Availability by Using CDNs

ISM-1439

Restrict IP Disclosure in CDNs

ISM-1454

Enhancing Security with Encrypted RADIUS Communications

ISM-1479

Minimise Server-to-Server Communication

ISM-1532

Avoid Using VLANs for Network Separation

ISM-1577

Ensure Network Segregation from Service Providers

ISM-1579

Ensure Cloud Resource Scalability for Demand Spikes

ISM-1580

Ensure High Availability for Online Services

ISM-1581

Monitor Capacity and Availability of Online Services

ISM-1627

Block Inbound Traffic from Anonymity Networks

ISM-1628

Prevent Anonymity Network Traffic in Outbound Connections

ISM-1710

Secure Default Settings for Wireless Access Points

ISM-1711

Ensure User Identity Confidentiality in EAP-TLS

ISM-1712

Ensure Secure Authenticator Communication for Wireless FT

ISM-1781

Ensure All Network Data is Encrypted

ISM-1782

Use Protective DNS to Block Malicious Domains

ISM-1800

Ensure Network Devices Have Trusted Firmware

ISM-1801

Perform Monthly Restarts of Network Devices

ISM-1863

Restrict Exposure of Network Management Interfaces

ISM-1912

Document Device Settings for Critical and High-Value Servers

ISM-1962

Disable SMBv1 Protocol on Networks

ISM-1963

Central Logging of Events on Internet-Facing Devices

ISM-1964

Central Logging for Network Device Events

ISM-2017

Ensure DNS Traffic is Encrypted When Supported

ISM-2068

Restrict Internet Access for Networked Devices

ISM-0078

Australian Supervision of AUSTEO/AGAO Data Systems

ISM-0252

Annual Cyber Security Awareness for Personnel

ISM-0258

Establish and Maintain a Web Usage Policy

ISM-0405

Validation for Unprivileged System Access Requests

ISM-0407

Maintain Secure User Access Records

ISM-0409

Restrict Foreign Nationals' Access to Sensitive Data

ISM-0411

Restrict System Access for Foreign Nationals

ISM-0414

Ensure Unique Identification for System Access

ISM-0415

Strict Control of Shared User Accounts

ISM-0420

Identify Nationality of Foreign Personnel in System

ISM-0430

Immediate Suspension of Unneeded System Access

ISM-0432

Document System Access Requirements in Security Plans

ISM-0434

Ensure Personnel Employment Screening and Security Clearance

ISM-0435

Pre-Access Briefings for System Resources

ISM-0441

Ensuring Limited Access for Temporary System Use

ISM-0443

Restrict Temporary Access to Secure Systems

ISM-0445

Dedicated Accounts for Privileged User Activities

ISM-0446

Restrict Privileged Access for Foreign Nationals

ISM-0447

Restrict Privileged Access for Foreign Nationals

ISM-0817

Reporting Suspicious Online Contact Awareness

ISM-0820

Prevent Posting Work Info to Unauthorised Services

ISM-0821

Understanding Risks of Sharing Personal Information Online

ISM-0824

Avoid Using Unauthorised Online File Services

ISM-0854

Access Restrictions for AUSTEO and AGAO Data

ISM-1146

Separation of Work and Personal Online Accounts

ISM-1175

Restrict Privileged Users from Internet Access

ISM-1263

Enforce Unique Accounts for Server Administration

ISM-1404

Disabling Inactive User Access After 45 Days

ISM-1507

Ensure Requests for Privileged Access are Verified

ISM-1508

Limit Privileged Access to Essential Duties Only

ISM-1509

Log Privileged Access Events Centrally for Monitoring

ISM-1565

Annual Training for Privileged Users

ISM-1566

Central Logging of Unprivileged System Access

ISM-1583

Ensure Contractors are Identified as Users

ISM-1591

Suspend User Access for Malicious Activity

ISM-1610

Document and Test Emergency System Access Procedures

ISM-1611

Use Break Glass Accounts Only in Emergencies

ISM-1612

Restricted Use of Break Glass Accounts for Emergencies

ISM-1613

Central Logging of Break Glass Account Usage

ISM-1614

Manage Emergency Account Access Changes

ISM-1615

Testing Break Glass Accounts Post Credential Change

ISM-1647

Disable Privileged Access After 12 Months

ISM-1648

Disabling Inactive Privileged Access to Systems

ISM-1649

Implement Just-in-Time Administration for System Access

ISM-1650

Log Management of Privileged User Activities

ISM-1740

Training on Business Email Compromise for Payment Handling

ISM-1852

Limit Unprivileged Access to Essential Functions

ISM-1864

Develop and Enforce a System Usage Policy

ISM-1865

Compliance with System Usage Policies for Access

ISM-1883

Restrict Privileged Access to Necessary Service Duties

ISM-2022

Develop and Maintain Cyber Security Training Register

ISM-2071

Training on Managing Social Engineering Threats

ISM-2074

Establish AI Usage Policy for Systems Access

ISM-0161

Ensure Security of Unused IT Equipment and Media

ISM-0164

Prevent Unauthorised Viewing of System Displays

ISM-0225

Prevent Unauthorised RF and IR Device Entry

ISM-0810

Secure Facilities Based on System Classification

ISM-0813

Ensure Secure Access to Critical Infrastructure

ISM-0829

Detect Unauthorised RF Devices in Secure Areas

ISM-1053

Secure Physical Access for Classified Equipment

ISM-1074

Controlling Access to Critical IT Infrastructure

ISM-1296

Protect Network Devices in Public Areas

ISM-1530

Secure Classified Equipment in Suitable Security Containers

ISM-1543

Maintaining an Authorised RF and IR Device Register

ISM-1973

Secure Facilities for Non-Classified Systems

ISM-1974

Securing Non-Classified IT Equipment in Secure Rooms

ISM-1975

Secure Non-Classified Equipment in Safe Containers

ISM-2007

Maintain a Register for Medical Devices in Secure Areas

ISM-2008

Regulations for Bringing Medical Devices into Secure Areas

ISM-2009

Secure Network API Client Authentication and Authorisation

ISM-2069

Register Photographic Devices in Secure Areas

ISM-2070

Control Access to Recording Devices in Secure Areas

ISM-0072

Ensure Security in Contracts with Service Providers

ISM-0141

Report Cyber Incidents Promptly to Designated Contacts

ISM-1073

Ensure Provider Contracts for System Access

ISM-1395

Ensuring Data Protection by Service Providers

ISM-1451

Document Data Ownership in Service Contracts

ISM-1452

Assess Supply Chain Risks for IT and OT Suppliers

ISM-1529

Limit Cloud Services to Community or Private for SECRETS

ISM-1567

Avoid High-Risk Suppliers in Cyber Supply Chain

ISM-1568

Ensure Security Commitment from Suppliers

ISM-1569

Establish Shared Responsibility Model for Supply Chain

ISM-1570

Regular IRAP Assessment of Cloud Service Providers

ISM-1571

Verify Security Compliance in Service Contracts

ISM-1572

Document Service Provider Data Handling and Change Notifications

ISM-1573

Log Access Documentation with Service Providers

ISM-1574

Ensure Data Portability in Service Agreements

ISM-1575

One-Month Notice for Service Termination

ISM-1576

Notify Organisation of Unauthorised System Access

ISM-1631

Identify Suppliers in Cyber Supply Chain

ISM-1632

Ensure Secure Procurement from Reliable Suppliers

ISM-1637

Maintain a Cloud Service Register for Outsourcing

ISM-1638

Maintain a Comprehensive Outsourced Cloud Service Register

ISM-1736

Maintain a Register for Managed Services

ISM-1737

Maintain a Comprehensive Managed Service Register

ISM-1738

Ensure Regular Verification of Service Provider Security

ISM-1785

Develop and Maintain Supplier Management Policy

ISM-1786

Maintain an Approved Supplier List

ISM-1787

Ensure Suppliers are Approved for IT and OT Sourcing

ISM-1788

Identify Multiple Suppliers for Critical IT Sourcing

ISM-1789

Verify Authenticity for Delivery Acceptance in Supply Chain

ISM-1790

Ensure Integrity in IT and OT Deliveries

ISM-1791

Assess Integrity of Delivered IT and OT Products

ISM-1792

Assess Authenticity of IT and OT Deliveries

ISM-1793

Regular Assessment of Managed Service Providers

ISM-1794

Notify Significant Changes to Service Provider Agreements

ISM-1804

Include Break Clauses in Cloud Service Contracts

ISM-1882

Procurement from Transparent Suppliers

ISM-1971

Security Assessments for TOP SECRET Managed Services

ISM-1972

Security Assessments for Top Secret Cloud Services

ISM-0400

Segregation of Environments in Software Development

ISM-0401

Implement Secure by Design in Software Development

ISM-0402

Comprehensive Software Vulnerability Testing

ISM-0971

Use OWASP Standards in Web Application Development

ISM-1238

Incorporate Threat Modelling in Software Development

ISM-1239

Ensure Use of Robust Web Application Frameworks

ISM-1240

Ensure Input Validation and Sanitisation for Internet Data

ISM-1241

Ensuring Secure Web Application Output Encoding

ISM-1275

Ensure Secure Database Queries in Software

ISM-1276

Use Safe Database Query Methods

ISM-1278

Minimise Database Error Information in Software

ISM-1419

Ensure Software Changes Occur in Development Environments

ISM-1420

Ensure Non-Production Security Matches Production

ISM-1422

Prevent Unauthorised Access to Software Source

ISM-1424

Ensure Web Security Through Response Headers

ISM-1536

Prevent OLE Package Activation in Microsoft Office

ISM-1552

Secure Web Content with HTTPS Only

ISM-1616

Implementing a Vulnerability Disclosure Program

ISM-1717

Implement Security.txt for Vulnerability Disclosure

ISM-1730

Provide a Software Bill of Materials to Consumers

ISM-1754

Timely Resolution of Identified Software Vulnerabilities

ISM-1755

Develop and Maintain a Vulnerability Disclosure Policy

ISM-1756

Develop and Maintain Vulnerability Disclosure Processes

ISM-1780

Apply SecDevOps for Secure Software Development

ISM-1796

Digitally Sign Executable Software for Security

ISM-1797

Ensure Software Updates are Securely Signed

ISM-1798

Develop Secure Configuration Guidelines for Software

ISM-1816

Prevent Unauthorised Changes to Software Sources

ISM-1817

Secure API Access with Authentication and Authorisation

ISM-1818

Client Authentication for Network API Access

ISM-1849

Implement OWASP Top 10 in Web Development

ISM-1850

Mitigate OWASP Top 10 in Web Applications

ISM-1851

Secure Development Using OWASP API Security Top 10

ISM-1908

Responsible Disclosure of Software Vulnerabilities

ISM-1909

Perform Root Cause Analysis for Vulnerabilities

ISM-1910

Log Network API Calls for Data Protection

ISM-1911

Centralised Logging of Software Errors and Usage

ISM-1922

Use OWASP Standards in Mobile App Development

ISM-1924

Preventing Prompt Injection in AI Applications

ISM-2013

Ensure Client Authentication for Internal Network APIs

ISM-2014

Ensure API Client Authentication and Authorization

ISM-2015

Central Logging of Non-Internet Network API Data Access

ISM-2016

Ensure Input Validation and Sanitisation for Security

ISM-2023

Maintain a Reliable Source for Software

ISM-2024

Utilise Authoritative Sources in Software Development

ISM-2025

Using Issue Tracking for Software Development Tasks

ISM-2026

Scan Software Artefacts for Malicious Code

ISM-2027

Verify Software Artefacts with Digital Signatures

ISM-2028

Test Third-Party Software for Security Flaws

ISM-2029

Restrict Third-Party Libraries to Trustworthy Sources

ISM-2030

Prevent Storing Secrets in Software Repositories

ISM-2031

Secure System Build Tools Implementation

ISM-2032

Ensure Automated Tests Are Completed Before Building

ISM-2033

Document and Maintain Software Security Requirements

ISM-2034

Document and Review Security Design in Development

ISM-2035

Document Security Roles and Knowledge for Development

ISM-2036

Document Security Duties for Software Developers

ISM-2037

Training for Secure Software Development Skills

ISM-2038

Maintain Developer Cyber Security Skills Register

ISM-2039

Review Threat Model During Software Development

ISM-2040

Ensure Secure Programming Practices in Software Development

ISM-2041

Ensure Use of Memory-Safe Programming Practices

ISM-2042

Ensuring Security in Software Development Lifecycle

ISM-2043

Ensuring Readable and Maintainable Software Architecture

ISM-2044

Prevent Default Credentials in Software Installations

ISM-2045

Ensure Backwards Compatibility Doesn't Weaken Security

ISM-2046

Ensure Secure Impersonation Logging Practices

ISM-2047

Notify Users of Authentication Resets via Secondary Channel

ISM-2048

Restrict Non-Admins from Changing Permissions

ISM-2049

Enforcing Re-authentication After Permission Changes

ISM-2050

Validate Digital Signature Certificates Securely

ISM-2051

Ensure Event Logs for Cybersecurity Event Detection

ISM-2052

Ensure Event Logs Protect Sensitive Data

ISM-2053

Establish Software End of Life Procedures

ISM-2054

Ensure No Vulnerabilities in Third-Party Software Components

ISM-2055

Ensure Software Components Meet Build Standards

ISM-2056

Provide Provenance for Software Builds

ISM-2057

Ensure Comprehensive Input Validation in Software

ISM-2058

Ensure Data Validation Before Deserialisation

ISM-2059

Restrict and Scan File Uploads for Security

ISM-2060

Ensure Code Reviews Support Secure Design

ISM-2061

Conduct Security-Focused Peer Reviews on Software

ISM-2062

Effective Software Security through Testing

ISM-2063

Ensure Web App Cookies Have Security Flags

ISM-2064

Ensure Secure Cookies with Signed Bearer Tokens

ISM-2065

Ensure Secure Session Cookies with High Entropy Tokens

ISM-2066

Centralised Management of Web Application Sessions

ISM-2067

Ensure Single Logout for Single Sign-On Web Applications

ISM-2072

Ensure AI Models are Stored Securely

ISM-2082

Using Cryptographic BOM in Software Development

ISM-2083

Provide a Cryptographic Bill of Materials to Software Users

ISM-2084

Document AI Model Characteristics and Risks

ISM-2085

Prevent Exposure of AI Model Confidence Scores

ISM-2086

Verify AI Model Source and Integrity

ISM-2087

Ensuring Integrity of AI Model Training Data

ISM-2088

Ensuring AI Training Data Integrity

ISM-2089

Monitor and Investigate AI Model Anomalies

ISM-2090

Rate Limiting for AI Model Inference Queries

ISM-2091

Enforce Resource Limits on AI Models

ISM-2092

Implement Fine-Grained AI Application Permissions

ISM-2093

Restrict Access to AI Data with Role-Based Controls

ISM-2094

AI Content Filtering to Protect Sensitive Data

ISM-0341

Disable Automatic Execution for Removable Media

ISM-0343

Disabling Unnecessary Access to Removable Media

ISM-0345

Disable External Interfaces for Direct Memory Access

ISM-0380

Disable Unneeded OS Accounts and Services

ISM-0382

Restrict Unprivileged User Actions on Applications

ISM-0383

Change Default OS User Accounts During Setup

ISM-0408

System Login Security Reminder Banner

ISM-0417

Use Passwords When Multi-Factor Authentication Isn't Supported

ISM-0418

Keep Physical Credentials Separate from Systems

ISM-0421

Require Minimum 15-Character Passwords for Security

ISM-0422

Ensuring Strong Passwords for TOP SECRET Systems

ISM-0428

Enforcement of Secure Session Locking Measures

ISM-0582

Central Logging of Windows Security Events

ISM-0843

Ensure Workstation Security with Application Control

ISM-0846

Application Control Restrictions for Users

ISM-0853

Automatic Termination of Inactive User Sessions

ISM-0938

Select Secure-by-Design Committed Vendors

ISM-0955

Implementing Application Control Measures

ISM-0974

Implement Multi-factor Authentication for User Access

ISM-1034

Disable Legacy Authentication Methods in Networks

ISM-1055

Disable Insecure LAN Manager Authentication

ISM-1173

Use Multi-Factor Authentication for Privileged Users

ISM-1227

Randomly Generate User Account Credentials

ISM-1235

Restrict Add-ons to Approved Set in Applications

ISM-1245

Clean Up Temporary Files Post-Installation

ISM-1246

Apply Strict Server Application Hardening Guidelines

ISM-1247

Disable or Remove Unneeded Server Features

ISM-1249

Limit Server Application User Privileges

ISM-1250

Limit Server Application User Account Privileges

ISM-1260

Secure Server Applications by Changing Default Credentials

ISM-1341

Implement HIPS or EDR on Workstations

ISM-1392

Restrict File Modifications via Path Rules

ISM-1401

Implement Multi-Factor Authentication for Security

ISM-1402

Protecting Stored Credentials with Security Measures

ISM-1403

Lock User Accounts After Failed Login Attempts

ISM-1406

Use SOEs for Workstations and Servers

ISM-1407

Ensure Use of Current OS Versions

ISM-1408

Use 64-bit Operating Systems Where Supported

ISM-1409

Implement Restrictive OS Hardening Guidelines

ISM-1412

Web Browser Hardening with Strict Guidelines

ISM-1416

Implement Firewalls to Control Network Connections

ISM-1417

Comprehensive Antivirus Protection on Systems

ISM-1418

Disable Unnecessary Removable Media Access

ISM-1460

Ensure Secure Design in Virtual Server Isolation

ISM-1461

Ensure Same Classification for Virtualised Environments

ISM-1467

Ensure Use of Latest User Applications

ISM-1470

Disable Unneeded Software Functions and Services

ISM-1471

Utilise Publisher and Product Names in App Control

ISM-1483

Ensure Use of Latest Server Application Releases

ISM-1485

Prevent Web Browsers from Processing Ads

ISM-1486

Restrict Java Processing in Web Browsers

ISM-1487

Restrict Macro Editing to Privileged Users

ISM-1488

Blocking Internet-Originating Macros in Office Files

ISM-1489

Prevent Users from Changing Office Macro Security Settings

ISM-1490

Implement Application Control on Internet-Facing Servers

ISM-1491

Prevent Script Execution by Unprivileged Users

ISM-1492

Enable Exploit Protection in Operating Systems

ISM-1504

Implement Multi-factor Authentication

ISM-1505

Implement Multi-factor Authentication for Data Repositories

ISM-1542

Disable OLE in Microsoft Office for Security

ISM-1544

Implement Microsoft's Application Blocklist

ISM-1546

Ensure User Authentication Before System Access

ISM-1557

Ensure Strong Passwords for SECRET Systems

ISM-1558

Ensure Secure Construction of Passwords

ISM-1559

Minimum Password Length for Secure Systems

ISM-1560

Ensure Strong Passwords for SECRET System Authentication

ISM-1561

Ensure Strong Passwords for TOP SECRET Systems

ISM-1582

Routine Validation of Application Control Rulesets

ISM-1584

Prevent Unauthorised Changes to Security Settings

ISM-1585

Prevent User Changes to Browser Security Settings

ISM-1588

Annual Review of Standard Operating Environments

ISM-1590

Mandate Credential Changes Upon Compromise

ISM-1592

Prevent Unauthorised Application Installations by Users

ISM-1593

Verifying User Identity for New Credentials

ISM-1594

Secure Delivery of User Account Credentials

ISM-1595

Ensure Initial User Credentials Are Changed

ISM-1596

Avoid Reusing Credentials Across Systems

ISM-1597

Ensuring Credential Input Obscurity

ISM-1601

Implement Microsoft Attack Surface Reduction Rules

ISM-1603

Disabling Vulnerable Authentication Methods

ISM-1604

Hardening Virtual Server Isolation Configuration

ISM-1605

Harden Operating Systems for Secure Virtual Environments

ISM-1606

Apply Timely Updates to Isolation Mechanisms

ISM-1607

Integrity Monitoring for Shared Servers

ISM-1608

Scan Third-Party SOEs for Malicious Code

ISM-1619

Configure Service Accounts as Managed Service Accounts

ISM-1620

Ensure Privileged Accounts are Secured in AD

ISM-1621

Disable or Remove Windows PowerShell 2.0

ISM-1622

Ensure PowerShell Uses Constrained Language Mode

ISM-1623

Centralised Logging of PowerShell Activities

ISM-1624

Protect PowerShell Script Block Logs

ISM-1654

Disable or Remove Internet Explorer 11

ISM-1655

Ensure .NET Framework 3.5 is Disabled or Removed

ISM-1656

Implement Application Control on Secure Servers

ISM-1657

Restrict Application Execution to Approved Set

ISM-1658

Restrict Execution of Drivers via Application Control

ISM-1659

Implement Microsoft's Vulnerable Driver Blocklist

ISM-1660

Central Logging of Application Events

ISM-1667

Prevent Child Processes in Microsoft Office

ISM-1668

Prevent Microsoft Office from Creating Executable Files

ISM-1669

Prevent Microsoft Office from Injecting Code

ISM-1670

Prevent PDF Applications from Creating Child Processes

ISM-1671

Disabling Microsoft Office Macros for Unauthorised Users

ISM-1672

Enable Antivirus Scanning for Office Macros

ISM-1673

Prevent Win32 API Calls by Office Macros

ISM-1674

Ensuring Secure Execution of Microsoft Office Macros

ISM-1675

Prevent Enabling Untrusted Microsoft Office Macros

ISM-1676

Validate Trusted Publishers for Microsoft Office

ISM-1679

Use Multi-factor Authentication for Third-party Services

ISM-1680

Use Multi-Factor Authentication for Online Services

ISM-1681

Mandating Multi-Factor Authentication for Customer Services

ISM-1682

Enhance User Security with Phishing-resistant MFA

ISM-1683

Central Logging of Multi-factor Authentication Events

ISM-1685

Strengthening Passwords for Critical Accounts

ISM-1686

Enable Credential Guard for Credential Protection

ISM-1743

Choose Secure Operating System Vendors

ISM-1745

Enable Security Features for System Protection

ISM-1746

Restrict File System Permission Changes

ISM-1748

Prevent Changes to Email Client Security Settings

ISM-1749

Limit Cached Credentials to Single Logon

ISM-1795

Set 30-Character Minimum for Key Administrator Passwords

ISM-1806

Change Default User Credentials During Setup

ISM-1823

Prevent Users from Changing Security Settings in Apps

ISM-1824

Prevent Changes to PDF Application Security Settings

ISM-1825

Ensure Security Configuration Is Immutable by Users

ISM-1826

Select Vendors Committed to Secure Design for Servers

ISM-1827

Use Dedicated Admin Accounts for Domain Controllers

ISM-1828

Disable Print Spooler on AD DS Domain Controllers

ISM-1829

Prevent Password Storage in Group Policy Preferences

ISM-1830

Central Logging for Microsoft AD Server Activities

ISM-1832

SPN Configuration for Active Directory Accounts

ISM-1833

Limit Privileges for User Accounts in Active Directory

ISM-1834

Ensure No Duplicate SPNs in Active Directory

ISM-1835

Restrict Delegation of Privileged Active Directory Accounts

ISM-1836

Require Kerberos Pre-Authentication for User Accounts

ISM-1837

Ensure User Account Passwords Are Configured Properly

ISM-1838

Restrict UserPassword Attribute in AD Accounts

ISM-1839

Secure Account Properties in Active Directory

ISM-1840

Prevent Reversible Encryption of User Passwords

ISM-1841

Restrict Domain Joining to Admin Users Only

ISM-1842

Use Privileged Accounts for Domain Machine Addition

ISM-1843

Annual Review of Unconstrained Delegation in AD Accounts

ISM-1844

Prevent Non-Controller Accounts from Delegating Services

ISM-1845

Disable User Security Group Access in Active Directory

ISM-1846

Restrict Pre-Windows 2000 Access Group Membership

ISM-1847

Regularly Change KRBTGT Credentials for Security

ISM-1848

Replace Unsupported Software in Server Isolation

ISM-1859

Hardening Office Productivity Suites

ISM-1860

Harden PDF Applications Using ASD Guidance

ISM-1861

Enable Local Security Authority Protection

ISM-1870

Implement Application Control for User Profiles and Folders

ISM-1871

Implement Application Control Exclusions for System Areas

ISM-1872

Ensuring Phishing-Resistant Multi-Factor Authentication

ISM-1873

Enhance Security with Phishing-Resistant MFA

ISM-1874

Phishing-Resistant Multi-Factor Authentication for Customers

ISM-1875

Monthly Network Scans for Clear-Text Credentials

ISM-1889

Central Logging of Command Line Events

ISM-1890

Ensure Macros Are Free of Malicious Code

ISM-1891

Restrict Non-V3 Signed Macros in Microsoft Office

ISM-1892

Implement Multi-factor Authentication for Customer Services

ISM-1893

Enforcing Multi-Factor Authentication for User Security

ISM-1894

Ensuring Phishing-Resistant Multi-factor Authentication

ISM-1895

Log Single-factor Authentication Events

ISM-1896

Enable Memory Integrity for Credential Protection

ISM-1897

Enable Remote Credential Guard for Credential Protection

ISM-1914

Ensure Operating Systems Have Approved Configurations

ISM-1915

Ensure User Application Configurations are Approved

ISM-1916

Ensure Server Application Configurations Are Approved

ISM-1919

Disable Non-MFA Authentication Protocols

ISM-1920

Prevent Self-enrollment on Untrusted Devices

ISM-1926

Ensure Exclusive Usage of Microsoft AD Servers

ISM-1927

Restrict Access to Microsoft Active Directory Servers

ISM-1928

Secure and Encrypt Backups of AD Servers

ISM-1929

Ensure LDAP Signing on AD DS Domain Controllers

ISM-1930

Prevent Storing Passwords in Group Policy Preferences

ISM-1931

Ensure SID Filtering for Domain and Forest Trusts

ISM-1932

Limit Service Accounts with SPNs in Active Directory

ISM-1933

Restrict DCSync Permissions on Service Accounts

ISM-1934

Annual Review of DCSync Permissions

ISM-1935

Prevent Unconstrained Delegation in Domain Services

ISM-1936

Prevent Usage of sIDHistory in User Accounts

ISM-1937

Weekly Audit of sIDHistory in User Accounts

ISM-1938

Restrict Domain Computers Group in Active Directory

ISM-1939

Limit Domain and Enterprise Admin Group Memberships

ISM-1940

Restrict Service Accounts from Privileged AD Groups

ISM-1941

Restrict Computer Accounts from Privileged Groups

ISM-1942

Restrict Domain Computers from Privileged Groups

ISM-1943

Enforce Certificate and User Mapping in AD Services

ISM-1944

Configuration Changes in Active Directory Certificate Services

ISM-1945

Remove Enrollee Supplies Subject Flag from Templates

ISM-1946

Restrict Write Access to Certificate Templates

ISM-1947

Remove User Authentication from Extended Key Usages

ISM-1948

Approval for Certificate Template SANs in AD Services

ISM-1949

Use Dedicated Accounts for AD FS Administration

ISM-1950

Disable Soft Matching After Synchronisation

ISM-1951

Disable Hard Match Takeover in Microsoft Entra Connect

ISM-1952

Prevent Synchronisation of Privileged Accounts

ISM-1953

Ensure Strong Management of Admin Account Credentials

ISM-1954

Enforce Random Credentials for Administrator Accounts

ISM-1955

Regularly Change Compromised Credentials

ISM-1956

Regularly Update AD FS Certificates to Prevent Risks

ISM-1957

Ensure CA Servers Use Hardware Security Modules

ISM-1976

Central Logging of Security Events on macOS

ISM-1977

Central Logging of Linux System Events

ISM-1978

Centralised Logging for Server Application Events

ISM-1979

Central Logging for Security Events on Servers

ISM-1980

Avoid Using Credential Hints in Systems

ISM-2010

Ensure SPNs Use Strong Encryption in AD Services

ISM-2011

Restrict MFA Options to Phishing-resistant Only

ISM-2012

Ensure Secure Screen Locking on Systems

ISM-2076

Eliminating Security Questions for Authentication

ISM-2077

Avoid Email for Out-of-Band Authentication

ISM-2078

Ensure Passwords Are Not Common or Compromised

ISM-2079

Ensure Password Length is at Least 64 Characters

ISM-2080

No Password Complexity Requirements Enforced

ISM-2081

Enforce Use of All ASCII Characters in Passwords

ISM-0042

Maintain Effective System Administration Practices

ISM-0298

Centralised System Patch and Update Management

ISM-0300

Apply System Security Patches with Approval

ISM-0304

Remove Unsupported Applications for System Security

ISM-1143

Develop and Maintain Patch Management Procedures

ISM-1211

System Admin Activities Follow Change Management Plan

ISM-1380

Use Separate Privileged and Unprivileged Environments

ISM-1385

Segregation of Administrative Infrastructure from Networks

ISM-1386

Restrict Network Management Traffic Origin

ISM-1387

Use Jump Servers for Administrative Activities

ISM-1493

Ensure Regular Updates of Software Registers

ISM-1501

Replace Unsupported Operating Systems

ISM-1510

Develop and Maintain a Digital Preservation Policy

ISM-1511

Conduct and Maintain Regular Data Backups

ISM-1515

Test Backup Restoration During Disaster Recovery

ISM-1547

Develop and Maintain Data Backup Procedures

ISM-1548

Develop and Maintain Data Restoration Processes

ISM-1643

Maintain Detailed Software Version and Patch Records

ISM-1687

Prevent Virtualisation of Privileged Environments

ISM-1688

Restrict Privileged Environment Access

ISM-1689

Restrict Privileged Accounts Access to Non-Privileged Environments

ISM-1690

Timely Application of Non-Critical Vulnerability Patches

ISM-1691

Timely Vulnerability Patching in Software Tools

ISM-1692

Quick Apply Critical Patches for Vulnerabilities

ISM-1693

Timely Application of Patches to Mitigate Vulnerabilities

ISM-1694

Timely Application of Non-Critical Security Patches

ISM-1695

Timely Application of System Security Patches

ISM-1696

Apply Critical Patches Within 48 Hours

ISM-1697

Apply Non-Critical Patches Within One Month

ISM-1698

Daily Vulnerability Scanning for Missing Updates

ISM-1699

Weekly Vulnerability Scanning for Software Updates

ISM-1700

Regular Vulnerability Scanning for Applications

ISM-1701

Daily Vulnerability Scanning for Internet-Facing Systems

ISM-1702

Regularly Scan for Missing Security Patches

ISM-1703

Regular Vulnerability Scanning for Missing Patches

ISM-1704

Remove Unsupported Software to Ensure Security

ISM-1705

Restrict Access to User Account Backups

ISM-1706

Prevent Backup Access by Privileged Users

ISM-1707

Restrict Backup Modifications by Privileged Users

ISM-1708

Prevent Backup Modifications During Retention

ISM-1750

Segregation of Administrative Infrastructure for Server Security

ISM-1751

Timely Application of Vendor Patches for Non-Critical OS Vulnerabilities

ISM-1752

Fortnightly Vulnerability Scanning for Non-Workstations

ISM-1753

Replace Unsupported Internet-Facing Devices

ISM-1807

Automated Asset Discovery for Vulnerability Scanning

ISM-1808

Vulnerability Scanning with Updated Tools

ISM-1809

Implement Compensating Controls for Unsupported Systems

ISM-1810

Ensuring Data Backup Synchronisation

ISM-1811

Secure and Resilient Data Backup Retention

ISM-1812

Restrict Backup Access to Unprivileged Users

ISM-1813

Prevent Unauthorised User Access to Backup Data

ISM-1814

Prevent Backup Modifications by Unprivileged Users

ISM-1876

Apply Critical Patches Within 48 Hours

ISM-1877

Timely Application of Critical Security Patches

ISM-1878

Apply Critical Patches Within 48 Hours

ISM-1879

Timely Patching of Critical Driver Vulnerabilities

ISM-1898

Use Secure Admin Workstations for Administration

ISM-1899

Restrict Unauthorised Network Connections

ISM-1900

Fortnightly System Vulnerability Scanning

ISM-1901

Timely Application of Non-Critical Security Patches

ISM-1902

Apply Non-Critical Patches to Non-Internet Systems Promptly

ISM-1903

Rapid Application of Critical Firmware Patches

ISM-1904

Apply Firmware Patches for Non-Critical Vulnerabilities

ISM-1905

Disclosure of Software Vulnerabilities Responsibly

ISM-1921

Assess System Compromise Risks Often

ISM-1958

Prevent Unauthorised Access for DCSync Accounts

ISM-1981

Replace Unsupportable Non-Internet Network Devices

ISM-1982

Replace Unsupported Networked IT Equipment

ISM-0109

Restrict Sensitive Emails in Distribution Lists

ISM-0580

Develop and Maintain Event Logging Policies

ISM-0585

Capture Detailed Information in Event Logs

ISM-0988

Ensure Accurate Time Source for Event Logs

ISM-1228

Analyse Cyber Security Events Promptly

ISM-1405

Implement a Centralised Event Logging Facility

ISM-1815

Protect Event Logs from Unauthorised Access

ISM-1906

Timely Analysis of Internet-Facing Server Logs

ISM-1907

Timely Analysis of Non-Internet-Server Logs

ISM-1959

Ensure Consistent Formatting for Event Logs

ISM-1960

Timely Analysis of Event Logs for Cybersecurity

ISM-1961

Timely Analysis of Network Device Event Logs

ISM-1983

Timely Centralisation of Event Logs

ISM-1984

Ensure Encryption of Event Logs in Transit

ISM-1985

Protect Event Logs from Unauthorised Access

ISM-1986

Timely Analysis of Critical Server Event Logs

ISM-1987

Timely Analysis of Security Event Logs

ISM-1988

Ensure Event Logs Are Retained for 12 Months

ISM-1989

Ensure Event Logs Meet Retention Requirements