Australian Government - Attorney-General's Department

Protective Security Policy Framework

Skip breadcrumbHome » Information » Safeguarding information from cyber threats

10 Safeguarding information from cyber threats

Purpose

This policy describes how entities can mitigate common and emerging cyber threats. Cyber threats faced by the Australian Government commonly include:

  1. external adversaries who steal data
  2. ransomware that denies access to data, and external adversaries who destroy data and prevent systems from functioning
  3. malicious insiders who steal data
  4. malicious insiders who destroy data and prevent systems from functioning.

The most common cyber threat facing entities is external adversaries who attempt to steal data. Often these adversaries want access to systems and information through email and web pages. It is critical that entities safeguard the information held on systems that can receive emails or browse internet content.

The Australian Cyber Security Centre (ACSC) has identified and prioritised strategies to help entities mitigate cyber threats. While no single mitigation strategy is guaranteed to prevent a cyber security incident, the ACSC estimates many cyber intrusions could be mitigated by whitelisting applications, patching applications and operating systems, and restricting administrative privileges.

Back to top

Requirements

Core requirement

Each entity must mitigate common and emerging cyber threats. This includes implementing the following Information Security Manual (ISM) Strategies to Mitigate Cyber Security Incidents:

  1. application whitelisting
  2. patching applications
  3. restricting administrative privileges
  4. patching operating systems.

Supporting requirements

Supporting requirements help protect information stored on workstations and servers from cyber threats by implementing key ISM protections.1 These are commonly known as the Top 4 strategies to mitigate cyber security incidents. The supporting requirements also mandate safeguarding information from cyber threats when engaging with members of the public online.

 

Supporting requirements for safeguarding information from cyber threats

#

Supporting requirements

Requirement 1.

Application whitelisting

For standard operating environments on internet-connected systems, entities must only allow an approved/trusted set of executables, software libraries, scripts and installers to run.

Requirement 2.

Patching vulnerabilities in applications
  1. Entities must successfully patch (or where patches are not available, otherwise mitigate) vulnerabilities in their applications Note i in a timely manner, which means:
    1. for applications exposed to extreme risk, within 48 hours of security vulnerabilities being identified
    2. for other applications, as soon as possible (and no later than 30 calendar days) after a patch is released.
  2. Entities must not use applications that are no longer supported by vendors.

Requirement 3.

Restricting administrative privileges

Entities must restrict administrative privileges to operating systems and applications based on user duties by ensuring that:

  1. the use of privileged accounts is controlled and auditable
  2. controls are in place to prevent privileged accounts from being used to read emails, browse the web or obtain files via internet sources.

Requirement 4.

Patching vulnerabilities in operating systems
  1. Entities must successfully patch (or where patches are not available, otherwise mitigate) vulnerabilities in their operating systems in a timely manner, which means:
    1. for operating systems exposed to extreme risk, within 48 hours of security vulnerabilities being identified
    2. for other operating systems, as soon as possible (and no later than 30 calendar days) after a patch is released.
  2. Entities must not use operating systems that are no longer supported by vendors.

Requirement 5.

Transacting online with the public

Entities must not expose the public to unnecessary cyber security risks when they transact online with government.

Supporting requirements notes:


i For example, Flash, web browsers, Microsoft Office, Java and PDF viewers.

 

Back to top

Guidance

When implementing a mitigation strategy, first implement it for workstations of high risk users and for internet-connected systems before implementing more broadly.

Application whitelisting

Malicious code (malware) often aims to exploit security vulnerabilities in existing applications and does not need to be installed on the workstation to be successful. Application whitelisting is effective in addressing instances of malicious code.

 

Application whitelisting under the Information Security Manual

Key ISM controls relating to application whitelisting include:

  • ISM security control 0843: an application whitelisting solution is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set
  • ISM security control 1490: an application whitelisting solution is implemented on Active Directory servers, email servers and other servers handling user authentication to restrict the execution of executables, software libraries, scripts and installers to an approved set.

Application whitelisting ensures that only authorised applications (eg programs, software libraries, scripts and installers) can be executed. As such, application whitelisting prevents malicious software and unapproved programs from running. Through application whitelisting, an entity can protect its internet-connected systems by:

  1. identifying authorised applications
  2. developing rules to ensure only authorised applications can execute
  3. maintaining whitelisting rules using a change-management program.

The ACSC recommends entities use one or more whitelisting methods, being:

  1. cryptographic hashes – the most effective mechanism to prevent malicious code from executing
  2. publisher certificates – certificates combine both publisher names and product names
  3. paths – only allowing applications from a specific file or folder path. If used, particular care is needed to ensure personnel cannot overwrite files that have been whitelisted or write new content into whitelisted paths.

It is important that users and system administrators cannot temporarily or permanently disable, bypass or be exempt from application whitelisting mechanisms (except when conducting authorised administrative activities). This maintains the integrity of application whitelisting as a security treatment.

For guidance on application whitelisting, see ACSC :

  1. Strategies to Mitigate Cyber Security Incidents – Top 4 Strategies to Mitigate Targeted Cyber Intrusions
  2. Strategies to Mitigate Cyber Security Incidents – Implementing Application Whitelisting
  3. Australian Government Information Security Manual.

Patching vulnerabilities in applications and operating systems

A patch is a piece of software designed to fix problems or update a computer program or its supporting data. This includes fixing security vulnerabilities and other program deficiencies as well as improving the usability or performance of the software.

 

Patching applications under the Information Security Manual

Key ISM controls relating to patching applications include:

  • ISM security control 1144: security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users
  • ISM security control 1497: an automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place
  • ISM security control 0304: applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions.

 

Patching operating systems under the Information Security Manual

Key ISM controls relating to patching operating systems include:

  • ISM security control 1494: security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users
  • ISM security control 1500: an automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place
  • ISM security control 1501: operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions.

Applying patches to operating systems, applications, drivers, ICT equipment and mobile devices is a critical activity for systems security:

  1. Patching applications helps to prevent the delivery and execution of malicious code (malware).
  2. Patching operating systems helps to limit the extent of cyber security incidents. For example, applying fixes to known security flaws means system are protected from compromise. If the operating system is compromised, any action or information handled by that computer is at risk.

Patches for security vulnerabilities come in many forms. These include:

  1. fixes that can be applied to pre-existing application versions
  2. fixes incorporated into new applications or drivers that require replacing pre-existing versions
  3. fixes that require overwriting of the firmware on ICT equipment.

Requirement 2 mandates patching (or where patches are not available, otherwise mitigating) extreme risk security vulnerabilities in applications and operating systems within 48 hours of the vulnerabilities being identified. Other vulnerabilities can be patched as soon as possible, but no later than 30 calendar days from a patch being released. A risk assessment enables entities to assess the severity of their security vulnerabilities.

For guidance, refer to the ACSC's publication Assessing security vulnerabilities and applying patches.

 

Table 1 Risk levels for security vulnerabilities in applications Note 1
Risk level Description Minimum patching requirements

Extreme risk

An extreme risk system is characterised by:

  1. the affected system is internet-connected, web enabled
  2. presence of an existing public exploit Note ii or vulnerability being targeted at the system
    1. the exploit can be automated
  3. the system is a critical business system for the entity.

Patching vulnerabilities required within 48 hours.

High risk

A high risk system is characterised by:

  1. presence of an existing public exploit/vulnerability targeted at the system
    1. the exploit can be automated
  2. the system is a critical business system for the entity.

Patching vulnerabilities required as soon as possible (and no later than 30 calendar days). Patching within two weeks from a patch being released is recommended.

Moderate risk

A moderate risk system is characterised by an existing public exploit or vulnerability targeted at the system (where the exploit can be automated).

Patching vulnerabilities required as soon as possible (and no later than 30 calendar days).

Low risk

Low risk system contains non-sensitive publicly available information.

Patching vulnerabilities required as soon as possible (and no later than 30 calendar days).

Table 1 notes:

iThere are multiple information sources that entities may use to assess the applicability and risk of security vulnerabilities in the context of their environment. This includes information published in vendor security bulletins or in severity ratings assigned to security vulnerabilities using standards such as the Common Vulnerability Scoring System (CVSS). For guidance, see the ASD advice, Know and minimise your vulnerabilities before they are used against you.

iiA software tool designed to take advantage of a flaw in a computer system, typically for malicious purposes such as installing malware.


Back to top

The Attorney-General's Department recommends that entities:

  1. monitor relevant sources for information about new security vulnerabilities and associated patches for operating systems and applications. Patching drives and firmware for ICT equipment is also encouraged
  2. implement a centralised and managed approach to patch operating systems and applications (where possible)
  3. confirm that patches have been installed, applied successfully and remain in place.

Managing application patches can be significantly more challenging than operating system patching. The Attorney-General's Department recommends that entities use the latest release of key business applications such as newer applications have better security functionality built it. Applications include:

  1. office productivity suites (eg Microsoft Office)
  2. PDF readers (eg Adobe Reader)
  3. web browsers (eg Microsoft Internet Explorer, Mozilla Firefox or Google Chrome)
  4. common web browser plugins (eg Adobe Flash)
  5. email clients (eg Microsoft outlook)
  6. software platforms (eg Oracle Java Platform and Microsoft .NET Framework).

Patches may not be available for older versions of operating systems, especially those no longer supported by vendors. Using unsupported systems exposes entities to security vulnerabilities. New versions of operating systems, applications and hardware often introduces improvements in security functionality over previous versions. This can make it difficult for an adversary to exploit security vulnerabilities they discover.

When patches are not available

If there are no patches available from vendors for a security vulnerability, temporary workarounds may provide an effective protection. These workarounds may be published in conjunction with, or soon after, security vulnerability announcements. Temporary workarounds may include disabling the vulnerable functionality within the operating system, application or device or restricting or blocking access to the vulnerable service using firewalls or other access controls.

When a patch is not available for a security vulnerability, it is recommended that entities apply the following (in priority order):

  1. reducing access to the vulnerability through alternative means by:
    1. disabling the functionality associated with the vulnerability
    2. asking the vendor for an alternative method of managing the vulnerability
    3. moving to a different product with a responsive vendor
    4. engaging a software developer to resolve the vulnerability.
  2. preventing exploitation of the vulnerability by:
    1. applying external input sanitisation (if an input triggers the exploit)
    2. applying filtering or verification on output (if the exploit relates to an information disclosure)
    3. applying additional access controls that prevent access to the vulnerability
    4. configuring firewall rules to limit access to the vulnerability.
  3. containing the exploitation of the vulnerability by:
    1. applying firewall rules limiting outward traffic that is likely in the event of an exploitation
    2. applying mandatory access control preventing the execution of exploitation code
    3. setting file system permissions preventing exploitation code from being written to disc.
  4. detecting exploitation of the vulnerability by:
    1. deploying an intrusion detection system
    2. monitoring logging alerts.
  5. using other mechanisms to detect exploits using the known vulnerability.

Restricting administrative privileges

Privileged access gives a user:

  1. the ability to change key system configurations
  2. the ability to change control parameters
  3. access to audit and security monitoring information
  4. the ability to circumvent security measures
  5. access to data, files and accounts used by other users, including backups and media
  6. special access for troubleshooting a system.

User accounts with administrative privileges are an attractive target for adversaries because they have a high level of access to the entity's systems. Minimising administrative privileges makes it difficult for an adversary to spread or hide their existence.

 

Restricting administrative privileges under the Information Security Manual

Key ISM controls relating to restricting administrative privileges include:

  • ISM security control 1507: privileged access to systems, applications and information is validated when first requested and revalidated on an annual or more frequent basis
  • ISM security control 1508: privileged access to systems, applications and information is limited to that required for personnel to undertake their duties
  • ISM security control 0445: privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access
  • ISM security control 1175: technical security controls are used to prevent privileged users from reading emails, browsing the Web and obtaining files via internet services.

Requirement 3 mandates that the use of privileged accounts be controlled and be auditable. The Attorney-General's Department recommends that a unique and identifiable account with administrative privileges be established (which does not have internet access), and that entities restrict administrative privileges to operating systems and applications based on the user's specific duties.

Privileged accounts that cannot access emails or open attachments, cannot browse the internet or obtain files via internet services such as instant messaging or social media, minimises opportunities for these accounts to be compromised.

The PSPF policy: Access to information provides guidance on managing access to information systems. These include unique user identification, user authentication and authorisation practices. The Attorney-General's Department recommends that entities use multi-factor authentication to assure a privileged account user's identity. This will lower the risk of user accounts being compromised.

Remote privileged access to systems

The risks of remote systems and accounts being compromised can be reduced by using secure communication mediums and security devices.

The Essential Eight and other strategies to mitigate cyber security incidents

The Attorney-General's Department strongly recommends entities implement the ACSC Essential Eight strategies to mitigate cyber threats. These strategies incorporate the four mitigation strategies mandated by this policy (see Requirements) as well as four additional strategies that effectively mitigate common and emerging cyber threats. The additional four are:

  1. configuring Microsoft Office macro settings
  2. user application hardening
  3. multi-factor authentication
  4. daily backups.

Entities are encouraged to implement Strategies to Mitigate Cyber Security Incidents, where relevant to their operational and risk environment. A list of the ACSC strategies is at Annex A.

Cyber security responsibilities when transacting online with the public

Demand for online government services continues to grow, as does the scale, sophistication and perpetration of cybercrime and activities by either malicious or benign actors.

Table 2 provides examples of potential threats to the public when transacting online with government.

 

Table 2 Potential threat sources when transacting online with Australian Government entities
Potential threat sources when transacting online with Australian Government entities

An attacker masquerades as a legitimate entity website to compromise a public user's internet-connected device, steal their identity, or scam them into providing personal details (such as credit card information).

An entity website is compromised and used to host malicious software which subsequently compromises an internet-connected device used by the public when they access the website.

An entity website is compromised and used to redirect the public to another malicious website that subsequently compromises their internet-connected device.

A compromised entity website could result in public username or password details being stolen, and an attacker masquerading as the user to claim government or other financial benefits.

The compromised account details of public users could lead to the compromise of other websites, as public users may use the same details for multiple government online accounts.

The compromise of an internet-connected device used by the public could result in:

  1. their addition to a botnet to participate in illegal activities
  2. theft of details for fraud or identity theft purposes
  3. blackmail of the user (where attackers encrypt hard drives and demand money for a decryption key)
  4. corruption of the internet-connected device and loss of user information.

The Attorney-General's Department recommends entities evaluate the threat scenarios identified in Table 2 and adopt applicable security actions for online services as outlined in Table 3. These activities will avoid exposing the public to cyber security risks when they transact online with government.

 

Table 3 Suggested actions to reduce the risk of harm to the public when transacting online with Australian Government entities

Suggested actions to reduce the risk of harm to the public when transacting online with Australian Government entities

Where online transaction accounts are in use, ensure:

  1. users accept account terms and conditions prior to establishing an account as well as when terms and conditions change
  2. there is a warning that explains (simply):
    1. the specific risks associated with use of the online service
    2. who may, or may not, use the service and under what circumstances
    3. provide details of alternative channels for service or support.
  3. a link to an entity's privacy policy page is provided for further information to public users on the conditions of acceptance
  4. transaction processes that put the user at risk of unnecessary harm are not implemented.

When public users elect to download non-public information from an entity website, ensure:

  1. an appropriate pre-download warning be in place, identifying the potential risk that they are 'about to download information across an unsecured connection'
  2. warning options 'proceed', 'cancel' or '?' are provided
  3. links to additional information on associated risks is provided.

Ensure that Australian Government websites:

  1. contain statements including a 'security notice' and a 'disclaimer notice' (use www.australia.gov.au website as a template for these notices, in consultation with the entity's legal area. For example, advising the public to report suspicious or unauthorised activity related to an online transaction to the responsible entity).

Patches for online services (including maintaining information-only web pages) and web servers be actioned as a priority by the entity's IT support. Delays in patching may create cyber security vulnerabilities for public users:

  1. online transactions that transfer personal details to government require a secure connection (only collect information needed for the delivery of a service)
  2. for entities using social networking services to interact with the public, ensure they:
    1. carefully evaluate privacy and security implications when collecting/retaining personal information as part of a service
    2. monitor social networks for malicious hyperlinks embedded in posts where not directly moderated by the entity before publishing.

Where appropriate and reasonable, entities may offer or impose:

  1. higher level security credentials (eg one-time passwords, digital certificates or tokens) or policy, to help users select a secure password
  2. restrictions or warnings about browser versions known to have security weaknesses, are out of date and/or unsupported
  3. a display of the previous login details at user login (entities implementing a high value or high risk transaction may consider notifying the user of access on their account with details of the Internet Protocol (IP) address)
  4. a message of what personal information an entity will never require users to disclose over email (eg that they would not require users to provide sensitive personal information such as login credentials). Entities may provide advice or links to cyber security and cyber safety information
  5. an alert to users when they are redirected to an external website.

Indications of a security compromise can be detected by:

  1. analysing patterns of online user interactions for unusual activity
  2. fingerprinting user access to detect anomalous access vectors
  3. performing a code audit of web application used on the entity's website to detect security vulnerabilities.

Back to top

Find out more

Other legislation and policies include:

  1. the Australian Cyber Security Centre (ACSC) including:
    1. the Australian Government Information Security Manual
    2. Strategies to Mitigate Cyber Security Incidents
    3. supporting publications and advice.
  2. government cyber security advice including:
      1. Protecting Yourself Online – What Everyone Needs to Know
      2. CyberSmart – Cyber Safety for kids, teens, parents, libraries, schools
      3. Stay Smart Online – Cyber Security for Australian internet users
      4. SCAMWatch – online information on avoiding and reporting scams
      5. CERT Australia Australia's national computer emergency response team 
      6. the Australian Government Cyber Security Strategy
      7. the Australian Federal Police.

Back to top

Annex A. ACSC strategies to mitigate cyber incidents 2

Annex A Table 1 Strategies to mitigate cyber incidents – Mitigation strategies to prevent malware delivery and execution
 

Relative security effectiveness rating

Mitigation strategy

  Essential Application whitelisting of approved/trusted programs to prevent execution of unapproved
 

Essential

Application whitelisting of approved/trusted programs to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (eg Windows Script Host, PowerShell and HTA) and installers.

 

Essential

Patch applications eg Flash, web browsers, Microsoft Office, Java and PDF viewers. Patch/mitigate computers with extreme risk vulnerabilities within 48 hours. Use the latest version of applications.

  Essential

Configure Microsoft Office macro settings to block macros from the internet, and only allow vetted macros either in 'trusted locations' with limited write access or digitally signed with a trusted certificate.

 

Essential

User application hardening. Configure web browsers to block Flash (ideally uninstall it), ads and Java on the internet. Disable unneeded features in Microsoft Office (eg OLE), web browsers and PDF viewers.

 

Excellent

Automated dynamic analysis of email and web content run in a sandbox, blocked if suspicious behaviour is identified (eg network traffic, new or modified files, or other system configuration changes).

 

Excellent

Email content filtering. Whitelist allowed attachment types (including in archives and nested archives). Analyse and sanitise hyperlinks, PDF and Microsoft Office attachments. Quarantine Microsoft Office macros.

 

Excellent

Web content filtering. Whitelist allowed types of web content and websites with good reputation ratings. Block access to malicious domains and IP addresses, ads, anonymity networks and free domains.

 

Excellent

Deny corporate computers direct internet connectivity. Use a gateway firewall to require use of a split DNS server, an email server and an authenticated web proxy server for outbound web connections.

 

Excellent

Operating system generic exploit mitigation eg Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) and Enhanced Mitigation Experience Toolkit (EMET).

 

Very good

Server application hardening especially internet accessible web applications (sanitise input and use TLS not SSL) and databases, as well as applications that access important (sensitive or high availability) data.

 

Very good

Operating system hardening (including for network devices) based on a Standard Operating Environment, disabling unneeded functionality (eg RDP, AutoRun, LanMan, SMB/NetBIOS, LLMNR and WPAD).

 

Very good

Antivirus software using heuristics and reputation ratings to check a file's prevalence and digital signature prior to execution. Use antivirus software from different vendors for gateways versus computers.

 

Very good

Control removable storage media and connected devices. Block unapproved CD, DVD and USB storage media. Block connectivity with unapproved smartphones, tablets and Bluetooth, Wi- Fi, 3G and 4G devices.

 

Very good

Block spoofed emails. Use Sender Policy Framework (SPF) or Sender ID to check incoming emails. Use 'hard fail' SPF TXT and DMARC DNS records to mitigate emails that spoof the entity's domain.

 

Good

User education. Avoid phishing emails (eg with links to login to fake websites), weak passphrases, passphrase reuse, as well as unapproved: removable storage media, connected devices and cloud services.

 

Limited

Antivirus software with up-to-date signatures to identify malware, from a vendor that rapidly adds signatures for new malware. Use antivirus software from different vendors for gateways versus computers.

 

Limited

TLS encryption between email servers to help prevent legitimate emails being intercepted and subsequently leveraged for social engineering. Perform content scanning after email traffic is decrypted.

Back to top

 

Annex A Table 2 Strategies to Mitigate Cyber Incidents – Mitigation strategies to limit the extent of cyber security incidents
 

Relative security effectiveness rating

Mitigation strategy

 

Essential

Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don't use privileged accounts for reading email and web browsing.

 

Essential

Patch operating systems. Patch/mitigate computers (including network devices) with extreme risk vulnerabilities within 48 hours. Use the latest operating system version. Do not use unsupported versions.

 

Essential

Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive or high availability) data repository.

 

Excellent

Disable local administrator accounts or assign passphrases that are random and unique for each computer's local administrator account to prevent propagation using shared local administrator credentials.

 

Excellent

Network segmentation. Deny network traffic between computers unless required. Constrain devices with low assurance (eg BYOD and IoT). Restrict access to network drives and data repositories based on user duties.

 

Excellent

Protect authentication credentials. Remove cPassword values (MS14-025). Configure WDigest (KB2871997). Use Credential Guard. Change default passphrases. Require long complex passphrases.

 

Very good

Non-persistent virtualised sandboxed environment. Deny access to important (sensitive or high availability) data, for risky activities (eg web browsing, and viewing untrusted Microsoft Office and PDF files).

 

Very good

Software-based application firewall, blocking incoming network traffic. Block traffic that is malicious or unauthorised, and deny network traffic by default (eg unneeded or unauthorised RDP and SMB/NetBIOS traffic).

 

Very good

Software-based application firewall, blocking outgoing network traffic Block traffic that is not generated by approved or trusted programs, and deny network traffic by default.

 

Very good

Outbound web and email data loss prevention. Block unapproved cloud computing services. Log recipient, size and frequency of outbound emails. Block and log emails with sensitive words or data patterns.

Back to top

 

Annex A Table 3 Strategies to Mitigate Cyber Incidents – Mitigation strategies to detect cyber security incidents and respond
 

Relative security effectiveness rating

Mitigation strategy

 

Excellent

Continuous incident detection and response with automated immediate analysis of centralised time-synchronised logs of permitted and denied: computer events, authentication, file access and network activity.

 

Very good

Host-based intrusion detection and prevention system to identify anomalous behaviour during program execution (eg process injection, keystroke logging, driver loading and persistence).

 

Very good

Endpoint detection and response software on all computers to centrally log system behaviour and facilitate incident response. Microsoft's free SysMon tool is an entry-level option.

 

Very good

Hunt to discover incidents based on knowledge of adversary tradecraft. Leverage threat intelligence consisting of analysed threat data with context enabling mitigating action, not just indicators of compromise.

 

Limited

Network-based intrusion detection and prevention system using signatures and heuristics to identify anomalous traffic both internally and crossing network perimeter boundaries.

 

Limited

Capture network traffic to and from corporate computers storing important data or considered as critical assets, and network traffic traversing the network perimeter, to perform incident detection and analysis.

Back to top

 

Annex A Table 4 Strategies to Mitigate Cyber Incidents – Mitigation strategies to recover data and system availability
 

Relative security effectiveness rating

Mitigation strategy

 

Excellent

Daily backups of important new or changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes.

 

Very good

Business continuity and disaster recovery plans which are tested, documented and printed in hardcopy with a softcopy stored offline. Focus on the highest priority systems and data to recover.

 

Very good

System recovery capabilities eg virtualisation with snapshot backups, remotely installing operating systems and applications on computers, approved enterprise mobility, and onsite vendor support contracts.

Back to top

 

Annex A Table 5 Strategies to Mitigate Cyber Incidents – Mitigation strategy specific to preventing malicious insiders
 

Relative security effectiveness rating

Mitigation strategy

 

Very good

Personnel management eg ongoing vetting especially for users with privileged access, immediately disable all accounts of departing users, and remind users of their security obligations and penalties.

Back to top


1 For guidance, see the Australian Government Information Security Manual's controls for application whitelisting, application and operating system patching, and restricting administrative privileges.

2As these tables are based on best advice from ASD, they will periodically be updated to reflect any changes in ASD guidance.

​​

<<< Access to information

Robust ICT systems >>>

​​​​​​​​​