Skip to content

Annual Implementation Report

This page has been designed to accompany the 2023 WA Cyber Security Policy Annual Implementation Report Template and provides additional guidance for assessors when answering questions in the provided template. The CSU requires that WA Government entities report against the August 2023 (first published in November 2022) for AIR reporting. This represents the 2022 maturity model.

Cyber Security Policy

This section provides guidance for the sheet 2. Cyber Security Policy

Lead

ID No Yes
1.1 The entity does not list roles and responsibilities of the Accountable Authority within the organisation's Cyber/Information Security Policy The entity defines roles and responsibilities of the Accountable Authority within the organisation's Cyber/Information Security Policy in line with the requirements of the WA Cyber Security Policy

Identify

ID Not Started Implementation in Progress Implemented with Issues Implemented and Monitoring
2.1.1A The entity does not track or maintain a list of physical devices and systems. The entity has incomplete list of inventory and is in the process of completing its inventory list. The entity has established inventory but not maintained The entity maintains physical device and system inventory and manages this during their lifecycle.
2.1.1B The entity does not track or maintain a list of software and applications use to service business. The entity has incomplete list of inventory or is in the process of completing its inventory list. The entity has established inventory but not maintained. The entity maintains a software platforms and applications inventory and manages this during their lifecycle.
2.1.1C The entity does not track or maintain a list of External information systems The entity has incomplete list of inventory or is in the process of completing its inventory list. The entity has established inventory but not maintained as agreed within service level agreement. The entity maintains a list of External information systems and manages these through service level agreement during their lifecycle.
2.1.1D The entity does not track or maintain a list of critical functions and system dependencies. The entity has incomplete list of critical functions and system dependencies, and is in the process of completing its inventory list. The entity has list of critical functions and system dependencies but not regularly maintained. The entity maintained list of critical functions and system dependencies
2.1.1E Organisation understood legal and regulatory requirements but do not have roadmap to achieve compliance. Legal and regulatory requirements are understood, and implementation program to achieve compliance is in progress. Legal and regulatory requirements are understood and implemented. Legal and regulatory requirements are understood, implemented and compliance are maintained.
2.1.1F The entity does not track or maintain a list of information systems, components and services provided by suppliers or third-parties. The entity has an incomplete list of information systems, components and services provided by suppliers and third-parties. The entity has a list of information systems, components and services provided by suppliers and third-parties. The entity maintains a list of Information systems, components and services maintained by suppliers and third-parties , and actively manages the lifecycle of these systems.
2.3.1 The entity has not developed a cyber security risk management strategy or has an ad-hoc approach to reducing cyber security risk within their organisation. The entity is in the process of developing a cyber security risk management strategy or roadmap to reducing cyber security risk within their organisation. The entity has developed a cyber cyber risk strategy, established a risk management program. The entity has approved a cyber risk strategy updated in the last year, has established a risk management program, and tracks progress using a treatment action plan.

Protect

ID Not Started Implementation in Progress Implemented with Issues Implemented and Monitoring
3.3.5 The entity does not have any mechanism in place for the public to report vulnerabilities. The entity is currently developing a reporting mechanism for public to report vulnerabilities. The entity has published mechanism for the public to report vulnerabilities, however does not respond or action vulnerabilities in a timely manner. The entity has a established reporting mechanism is in place and and action is taken in timely manners to remediate vulnerabilities.

For example www.wa.gov.au Vulnerability Disclosure Policy or security.txt based on RFC 9116
3.5.1 The entity does not perform Training and Awareness for cyber security or information security for staff. The entity provides ad-hoc Training and Awareness for cyber security for staff.

The entity does not provide targeted or specialised education for users with privileged access or positions of authority/trust.
The entity provides regular Training and Awareness for cyber security for staff/users that focuses on influencing user behaviour.

The entity provides ad-hoc targeted or specialised education for users with privileged access or positions of authority/trust.
The entity provides structured Training and Awareness for cyber security for staff/users that focuses on influencing user behaviour and measuring improvement.

The entity provides regular targeted or specialised education for users with privileged access or positions of authority/trust.
3.6.1 The entity does not consider the security risks for staff travelling with devices overseas. The entity understand the risk and currently in process of implementing technical and governance measures for staff travelling with devices overseas. The entity may have ad-hoc processes for device management when staff travel overseas. The entity has effective cybersecurity measures, encompassing both technical and governance aspects, without active monitoring. The entity has processes for device management when staff travel overseas. The entity has effective cybersecurity measures, encompassing both technical and governance aspects, and maintains active monitoring. The entity has processes for devices management such a provisioning temporary "burner" devices and have processes to reduce risk for devices returning from overseas.
3.6.2 The entity does not consider the security risks for staff travelling overseas. The entity understands the risk and currently in process of implementing technical and governance measures. The entity has effective cybersecurity measures, encompassing both technical and governance aspects, without active monitoring. The entity has effective cybersecurity measures, encompassing both technical and governance aspects, and maintains active monitoring.
3.7.1 The entity does not define risk management processes or clauses for third party within procurement contract. The entity is currently developing risk management processes for third party vendors. The entity incorporated cyber security requirements for third-party vendors within procurement contract, without progress are being tracked through service level agreement. The entity incorporates cyber security requirements for third party vendors within procurement contract and progress are tracked through service level agreement.
3.7.5 The entity does not review where data is stored when procuring systems. The entity is developing formal position. The entity has approved position to satisfy this task and assurance are not tracked The entity has approved position that is aligned to WA Government Data Offshoring Position and monitors existing contracts/suppliers to ensure that data and information systems are aligned with the entity's approved position.
3.8.1 The entity lacks processes for securing physical assets and does not track or manage access to them. The entity tracks some assets are and efforts are underway to expand control management to the remaining areas. The entity mostly manages access to assets however there may be areas where the management is not fully consistent. The entity manages physical access to assets and is tracked and audited on a regular basis.
3.9.1 The entity does not securely dispose digital media. The entity is developing disposal processes requirements or assessing vendors that could be partnered with to manage disposal of digital media. The entity has a secure disposal process, such as media sanitisation or media destruction techniques, but does not ensure vendor compliance with certificates. The entity has a secure disposal process, such as media sanitisation or media destruction techniques, ensuring vendor compliance with certificates.

Detect

ID Not Started Implementation in Progress Implemented with Issues Implemented and Monitoring
4.1.1 The entity does not capture network events from workstations. The entity captures network events for some endpoints and is working on expanding the collection of these events to cover all workstations. The entity captures network events from most workstation within SIEM.

The entity is developing processes to monitor and analyse network events to identify suspected cyber security incidents.
The entity captures network events are from workstations within SIEM.

The entity actively monitors and analyses these to identify suspected cyber security incidents.
4.1.2 The entity does not capture Command line processes from workstations. The entity captures command line process from workstations and is working on expanding the collection of these event to cover all workstations. The entity captures command line process from most workstation within SIEM.

The entity is developing processes to monitor and analyse command line processes to identify suspected cyber security incidents.
The entity captures command line processes from workstations within SIEM.

The entity actively monitors and analyses these to identify suspected cyber security incidents.
4.1.3 The entity does not capture email events and URLS visited by workstations. The entity partially captures email events or URLS visited by workstations. The entity captures email events and URLS visited by workstations within SIEM.

The entity is developing processes to monitor and analyse email events and URLS visited by workstations.
The entity captures email events and URLS visited by workstations within SIEM.

The entity actively monitors and analyses these to identify suspected cyber security incidents.
4.1.4 The entity does not capture identity events (logons and group/role changes). The entity partially captures identity events across ICT infrastructure. The entity captures identity events across most ICT infrastructure (on-premises and cloud) within SIEM.

The entity is developing processes to monitor and analyse identity events.
The entity captures identity across ICT infrastructure (on-premises and cloud) within SIEM.

The entity actively monitors and analyses these to identify suspected cyber security incidents.
4.3.1 The entity does not have a Security Information and Event Management (SIEM) solution. Entity has a Security Information and Event Management (SIEM) solution to perform real-time automated aggregation and correlation of logs from multiple sources to identify patterns of suspicious behaviour is in place.

SIEM has low levels of visibility, low coverage of assets (sources) or logs may be distributed in other security solutions not captured by the SIEM.

SIEM Logs are stored for only 12 months.

The entity has started testing Incident response plan, processes and technical capabilities.
Entity has a Security Information and Event Management (SIEM) solution to perform real-time automated aggregation and correlation of logs from multiple sources to identify patterns of suspicious behaviour is in place.

SIEM has good of visibility, high coverage of assets (sources) or logs may be distributed in other security security solutions not captured by the SIEM.

Logs are stored for only 12 months.

Incident response plan, processes and technical capabilities are not regularly tested.
Entity has a Security Information and Event Management (SIEM) solution to perform real-time automated aggregation and correlation of logs from multiple sources to identify patterns of suspicious behaviour is in place.

SIEM has excellent visibility, high coverage of assets (sources) and logs from other security security solutions are captured by the SIEM.

Logs are stored for at least 18 months retention period or to meet regulatory requirements.
4.5.1 The entity does not respond to security alerts. The entity is developing capabilities to respond to security alerts or is ad-hoc in their approach to responding to security alerts. The entity has capabilities to respond to security alerts and has developed repeatable processes for security operations staff to respond to security alerts. The entity has robust capabilities to respond and triage security alerts in a timely manner.

Respond

ID Not Started Implementation in Progress Implemented with Issues Implemented and Monitoring
5.1.1 The entity does not have an Incident Response Plan. The entity has developed an Incident Response Plan.

The entity has not tested the Incident Response Plan for greater than one year.
The entity has developed an Incident Response Plan.

The entity has tested the Incident resposne plan within the past year.
The entity has developed robust Incident Response Plans that may include "playbooks" for common cyber threats. The plans are updated on an annual basis or when significant changes to ICT systems occur.

The entity has tested the Incident Response Plan within the past year. Test results or lessons learnt from enacting plans are captured and used to improve existing plans.

ACSC Strategies

This section provides guidance for the sheet 5. Strategies to Mitigate.

The ACSC strategies to Mitigate Cyber Security Incidents are ranked in effectiveness of implementation based on the following terms. A maturity assessment tool for each strategy has been provided below with general guidance to enable assessors to determine the agency's implementation of the strategy.

Option Description
1. Not Applicable
  • Based off an assessment of risk, the agency has decided the control is not required.
  • Compensating controls are in place to manage related risk.
2. Not started
  • The control has been selected for implementation, however work to implement has not started.
  • The control is not effective yet.
3. In Progress
  • Implementation of the control is in progress and not complete.
  • The control is partially effective, or ineffective.
4. Implemented with Issues
  • The control is implemented, however exceptions/failures are common.
  • The control is partially effective, or possibly ineffective.
5. Implemented and Monitoring
  • The control is implemented and monitored for exceptions.
  • Control exceptions/failures are minimal, managed, and understood.
  • The control is effective.

Prevent Malware Delivery and Execution

Control Strategy Not Started In-Progress Implemented With Issues Implemented and Monitoring ACSC Guidance
5 Automated dynamic analysis of email and web content run in a sandbox The entity has not deployed sandbox analysis of inbound email or web content. The entity has deployed a sandbox analysis solution for inbound email and/or web content that is not fully functional or in audit/passive only mode. The entity has deployed a sandbox analysis solution for inbound email and/or web content but it uses untuned rule-sets, excessive bypass lists or does not receive timely vendor intelligence definitions. The Entity has deployed a sandbox analysis solution for inbound email and web content. The solution has finely tuned rule-sets, minimal bypass lists, receives regular vendor intelligence definitions. link
6 Email content filtering The entity does not perform content filtering of inbound email. The entity has deployed an email content filtering solution is present that is not finely tuned or left as system defaults for inspection of email content types including file attachments, hyperlinks or is configured in audit/passive mode only. The Entity has deployed an email content filtering solution and has fine tuned configuration for inspection of email content types, however rulesets are overly permissive.

Content which cannot be scanned is not blocked.
The entity has deployed an email content filtering solution that has fine tuned and robust rulesets configured capturing all inbound mail and the inspection of hyperlinks and attachments. Filtering solution receives regular vendor intelligence definitions.

Content that cannot be scanned is blocked/quarantined.

Inbound mail is blocked if the external sender address is the same as the internal domain.
Link
7 Web content filtering The entity does not perform filtering of web content. The entity deploys web content filtering is available but not all traffic is subject to filtering or rules are overly submissive. HTTPS traffic is not filtered. The entity deploys web content filtering for most for HTTP and HTTPs traffic. Filtering rules restrict access to uncategorised, web advertisement, anonymity services, free and anonymous domains used by adversaries. Access to websites via IP address is blocked. The entity deploys web content filtering for all HTTP and HTTPs traffic. Filtering rules restrict access to uncategorised, web advertisement, anonymity services, free and anonymous domains used by adversaries. Access to websites via IP address is blocked. Filtering rules restrict access to malicious executables, Flash/ActiveX/Java content and Microsoft Office files containing macros. Vendor intelligence definitions are updated regularly. Link
8 Deny corporate computers direct internet connectivity The entity's perimeter firewall is configured to allow corporate computers direct internet access. The entity's perimeter firewall is configured to only allow corporate computers outbound access to approved ports and protocols including HTTP and HTTPS. The entity's perimeter firewall is configured to only allow corporate computers outbound access to approved ports and protocols.

Corporate Computers outbound internet traffic for HTTP and HTTPS is routed via a proxy.
The entity's perimeter firewall is configured to only allow corporate computers outbound access to approved ports and protocols.

Corporate Computers outbound internet traffic for HTTP and HTTPS is routed via an authenticated proxy.

Servers are restricted from browsing the internet and accessing email services."
Link
9 Operating system generic exploit mitigation The entity deploys operating systems with default exploit mitigation settings enabled.

The entity has Windows 32-bit operating systems present.
The entity deploys operating systems with default exploit mitigation settings enabled.

The entity only has Windows 64-bit operating systems present.
The entity deploys operating systems with Data Execution Prevention, Address Space Layout Randomisation or Enhanced Mitigation Experience Toolkit rules configured on some machines.

The entity only has Windows 64-bit operating systems present. Linux operating systems are deployed with Security-Enhanced Linux (SELinux).
The entity deploys operating systems with Data Execution Prevention, Address Space Layout Randomisation or Enhanced Mitigation Experience Toolkit rules configured all machines.

The entity only has Windows 64-bit operating systems present. Linux operating systems are deployed with Security-Enhanced Linux (SELinux).
Link
10 Server application hardening The entity has not assessed or applied Server Application Hardening controls. Default installations may provide insecure configurations that expose server applications to cyber threats. The entity has commenced applying Server application techniques, such as ASD Hardening for Server Applications and prioritises configurations to internet facing systems. The entity has applied Server application techniques, such as ASD Hardening for Server Applications, data and applications that access important data. Hardening has been prioritised for internet facing systems.

The entity has chosen Server Applications from vendors that have demonstrated a commitment to secure-by-design and secure-by default principles, use of memory-safe programming languages where possible, secure programming practices, and maintaining the security of their products. OWASP provides principles for Web Applications that mitigate common design.
The entity has applied Server application techniques, such as ASD Hardening for Server Applications, data and applications that access important data. Hardening has been applied internet facing systems and non-internet facing systems.

The entity has chosen Server Applications from vendors that have demonstrated a commitment to secure-by-design and secure-by default principles, use of memory-safe programming languages where possible, secure programming practices, and maintaining the security of their products. OWASP provides principles for Web Applications that mitigate common design.
Link
11 Operating system hardening The entity has not assessed or applied Operating System Hardening controls. Default installations may provide insecure configurations that expose Operating Systems to cyber threats. The entity has commenced applying Operating System hardening controls.

File and registry key permissions are hardened and Windows Task Scheduler, DLL search path algorithm and file extension are configured to prevent only users to execute malicious program.

The entity has started disabling unneeded functionalities such as Server Message Block (SMB), Link-Local Multicast Name Resolution (LLMNR) , Web Proxy Auto-Discovery (WPAD) , RDP and AutoRun.
The entity has applied Operating System hardening controls to most workstations using a managed Standard Operating Environment (SOE).

The entity has commenced applying Operating System hardening controls to servers.

File and registry key permissions are hardened and Windows Task Scheduler, DLL search path algorithm and file extension are configured to prevent only users to execute malicious program.

The entity has disabled unneeded functionalities such as Server Message Block (SMB), Link-Local Multicast Name Resolution (LLMNR) , Web Proxy Auto-Discovery (WPAD) , RDP and AutoRun.
The entity has applied Operating System hardening controls to workstations and servers using a managed Standard Operating Environment (SOE) and monitors for drifts in configuration.

File and registry key permissions are hardened and Windows Task Scheduler, DLL search path algorithm and file extension are configured to prevent only users to execute malicious program.

The entity has disabled unneeded functionalities such as Server Message Block (SMB), Link-Local Multicast Name Resolution (LLMNR) , Web Proxy Auto-Discovery (WPAD) , RDP and AutoRun.
Link
12 Antivirus software using heuristics and reputation ratings The entity does not install antivirus software to computers or gateways. The entity has installed antivirus software to some computers that checks file's prevalence or digital signature before execution. The entity has installed antivirus software on most computers that is configured check a file's prevalence and digital signature before execution.

The entity has installed antivirus software on gateways that check a file's prevalence and digital signature before execution.
The entity has installed antivirus software on all computers that is configured check a file's prevalence and digital signature before execution.

The entity has installed antivirus software on gateway (from a different vendor than computers) that check a file's prevalence and digital signature before execution.
Link
13 Control removable storage media and connected devices The entity does not control removable storage media and connected devices The entity has a robust policy and process is in place for storage media and file transfer.

The entity has commenced configuration of controls to restrict access to unapproved storage media and connected devices.
The entity has a robust policy and process is in place for storage media and file transfer.

The entity has configuration of controls to restrict access to unapproved storage media and connected devices on most computers.
The entity has a robust policy and process is in place for storage media and file transfer.

The entity has configuration of controls to restrict access to unapproved storage media and connected devices on all computers.
Link
14 Block spoofed emails The entity does not deploy Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) OR Domain-based Message Authentication, Reporting, and Conformance (DMARC) for domains owned by the agency. The entity has implemented SPF.

The entity has not commenced configuration DKIM or DMARC.
The entity has implemented SPF.

The entity has commenced DKIM configuration against owned domains.

The entity has commenced DMARC configuration and has policy set to “none” or “quarantine”.
The entity has implemented SPF with hardfail.

The entity has implemented DKIM across email infrastructure.

The Entity has implemented DMARC with policy set to reject.
Link
15 User education The entity does not perform Training and Awareness for cyber security or information security for staff. The entity provides ad-hoc Training and Awareness for cyber security for staff.

The entity does not provide targeted or specialised education for users with privileged access or positions of authority/trust.
The entity provides regular Training and Awareness for cyber security for staff/users that focuses on influencing user behaviour.

The entity provides ad-hoc targeted or specialised education for users with privileged access or positions of authority/trust.
The entity provides structured Training and Awareness for cyber security for staff/users that focuses on influencing user behaviour and measuring improvement.

The entity provides regular targeted or specialised education for users with privileged access or positions of authority/trust.
Link
16 Antivirus software with up-to-date signatures The entity does not install antivirus software to computers or gateways. The entity has signature based antivirus software from reputable vendor installed on some computers or has commenced the deployment on gateways. The entity has signature based antivirus software from reputable vendor installed on most computers or has commenced the deployment on gateways.

Antivirus software definitions update automatically.

Antivirus software is configured to scan files upon opening or scanned on a regular basis.
The entity has signature based antivirus software from reputable vendor is deployed to all computers and gateways to detect more sophisticated malware.

Antivirus software definitions update automatically and regularly.

Antivirus software is configured to scan files upon opening and scanned on a regular basis.
Link
17 TLS encryption between email servers The entity does not enable Transport Layer Security (TLS) on email servers. The entity has commenced configuration of Transport Layer Security (TLS) on email servers for inbound or outbound email communication. The entity has configured Transport Layer Security (TLS) for both inbound and outbound email communication to prevent legitimate emails being intercepted and subsequently leveraged for social engineering. The entity has enforced Transport Layer Security (TLS) for both inbound and outbound email communication to prevent legitimate emails being intercepted and subsequently leveraged for social engineering.

The entity configures content scanning after email traffic is decrypted as part of ""Email content Filtering"" strategy.
Link

Limit the Extent of Cyber Security Incidents

Control Strategy Not Started In-Progress Implemented With Issues Implemented and Monitoring ACSC Guidance
21 Disable local administrator account The entity does not disable local administrator accounts or set unique credentials for each computer. The entity has commenced to disable local administrator accounts or managed credentials with a solution such as Windows Local Administrator Password Solution (LAPS) to prevent lateral movement using administrator credentials. The entity has disabled local administrator accounts or managed credentials with a solution such as Windows Local Administrator Password Solution (LAPS) to prevent lateral movement using administrator credentials for most computers.

Credentials for local administrator accounts are created uniquely and stored within Active Directory or Azure Active Directory.
The entity has disabled local administrator accounts or managed credentials with a solution such as Windows Local Administrator Password Solution (LAPS) to prevent lateral movement using administrator credentials for most computers.

Credentials for local administrator accounts are created uniquely and stored within Active Directory or Azure Active Directory.

Windows LAPS is used to automatically managed Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers.
Link
22 Network segmentation The entity does not perform network segmentation (i.e. flat network). The entity has deployed network controls such as Virtual LANs, firewalls and access control lists that constrains devices with low assurance (e.g. BYOD and IoT).

The entity has not commenced implementation of Jump boxes, Software based firewall and IPsec for servers and cloud computing infrastructure.
The entity has deployed network controls such as Virtual LANs, firewalls and access control lists that constrains devices with low assurance (e.g. BYOD and IoT), and limited user access to network drives and data repositories based on user duties.

The entity has commenced implementation of Jump boxes, Software based firewall and IPsec for servers and cloud computing infrastructure.
The entity has deployed network controls such as Virtual LANs, firewalls and access control lists that constrains devices with low assurance (e.g. BYOD and IoT), and limited user access to network drives and data repositories based on user duties.

The entity has implementation of Jump boxes, Software based firewall and IPsec for servers and cloud computing infrastructure.

The entity has deployed micro-segmentation or denied traffic between computers unless required.
Link
23 Protect authentication credentials The entity has not assessed their environment to protect authentication credentials. The entity has enforced strong password policies.

The entity has disabled Wdigests (Setting UserLoginCredential to 0), Removed CPasswords (Group Policy Preference XML) and disabled Link-Local Multicast Name Resolution (LLMNR) to prevent password exposure over insecure channels.

The entity changes default passphrases.
The entity has enforced strong password policies and uses solutions to prevent weak passwords.

The entity has disabled Wdigests (Setting UserLoginCredential to 0), Removed CPasswords (Group Policy Preference XML) and disabled Link-Local Multicast Name Resolution (LLMNR) to prevent password exposure over insecure channels.

The entity changes default passphrases and uses Password Vaults to securely store credentials.

The entity may have enabled Credential Guard on Windows 10 or later workstations.
The entity has enforced strong password policies and uses solutions to prevent weak passwords.

The entity has disabled Wdigests (Setting UserLoginCredential to 0), Removed CPasswords (Group Policy Preference XML) and disabled Link-Local Multicast Name Resolution (LLMNR) to prevent password exposure over insecure channels.

The entity changes default passphrases and uses Password Vaults to securely store credentials.

The entity has enabled Credential Guard on Windows 10/Server 2016 or later.
Link
24 Non-persistent virtualised sandboxed environment The entity does not use non-persistent virtualised sandboxed environments. The entity only uses non-persistent virtualised environment is used to deny access to sensitive data for some risky activities.

Examples include Microsoft Application Guard (e.g. MS Office/MS Edge).
The entity performs approaches of inbuilt sandbox and non-persistent virtualised environment are used with issues to deny access to sensitive data for most risky activities.

Examples include Microsoft Application Guard or Virtual Desktop Infrastructure with non-persistent profiles.
The entity performs approaches of inbuilt sandbox and non-persistent virtualised environment are used with issues to deny access to sensitive data for all risky activities.

Examples include Microsoft Application Guard or Virtual Desktop Infrastructure with non-persistent profiles.
Link
25 Software-based application firewall, blocking incoming network traffic The entity has disabled or does not configure Software-based application firewalls (e.g. Windows Firewall) to prevent incoming network connections. The entity has commenced configuration of software-based application firewall for incoming network traffic. The entity has configured software-based application firewall with limited rule set to block malicious and unintended incoming network traffic. The entity has configured software-based application firewall to block malicious and unintended incoming network traffic. Rules are configured to provide maximum protect to network services and prevent unneeded/unauthorised traffic (following least privilege access principles) Link
26 Software-based application firewall, blocking outgoing network traffic The entity has disabled or does not configure Software-based application firewalls (e.g. Windows Firewall) to prevent outgoing network connections. The entity has commenced configuration of software-based application firewall for outgoing network traffic. The entity has configured software-based application firewall with limited rule set to block malicious and unintended outgoing network traffic. The entity has configured software-based application firewall to block malicious and unintended outgoing network traffic. Rules are configured to provide the minimum levels of network activity designed for the user or system (following least privilege access principles). Link
27 Outbound web and email data loss prevention The entity does not deploy Data Loss Prevention solutions to identify or prevent exfiltration of sensitive organisational data. The entity has commenced considering applying Data Loss Prevention solutions to identify or prevent exfiltration of sensitive organisational data.

Sensitive Data may be identified and labelled with Data Classification Sensitivity labels, or via sensitive data patterns/keywords.

Some prevention controls may limit exfiltration of sensitive data by logging or blocking access to unapproved cloud computing services including personal webmail.
The entity has configured Data Loss Prevention solutions to identify or prevent exfiltration of sensitive organisational data.

Sensitive Data is identified and labelled with Data Classification Sensitivity labels, or via sensitive data patterns/keywords.

Prevention controls limit exfiltration of sensitive data by logging or blocking access to unapproved cloud computing services including personal webmail.

Outgoing email with sensitive data patterns, size and frequency are logged and reported.
The entity has configured Data Loss Prevention solutions to identify and prevent exfiltration of sensitive organisational data.

Sensitive Data is identified and labelled with Data Classification Sensitivity labels, or via sensitive data patterns/keywords.

Prevention controls limit exfiltration of sensitive data by logging or blocking access to unapproved cloud computing services including personal webmail.

Outgoing email with sensitive data patterns, size and frequency are logged and reported.
Link

Detect Cyber Security Incidents and Respond

Control Strategy Not Started In-Progress Implemented With Issues Implemented and Monitoring ACSC Guidance
28 Continuous incident detection and response Entity does not have a Security Information and Event Management (SIEM) solution. Entity has a Security Information and Event Management (SIEM) solution to perform real-time automated aggregation and correlation of logs from multiple sources to identify patterns of suspicious behaviour is in place.

SIEM has low levels of visibility, low coverage of assets (sources) or logs may be distributed in other security solutions not captured by the SIEM.

SIEM Logs are stored for only 12 months.

The entity has started testing Incident response plan, processes and technical capabilities.
Entity has a Security Information and Event Management (SIEM) solution to perform real-time automated aggregation and correlation of logs from multiple sources to identify patterns of suspicious behaviour is in place.

SIEM has good of visibility, high coverage of assets (sources) or logs may be distributed in other security security solutions not captured by the SIEM.

Logs are stored for only 12 months.

Incident response plan, processes and technical capabilities are not regularly tested.
Entity has a Security Information and Event Management (SIEM) solution to perform real-time automated aggregation and correlation of logs from multiple sources to identify patterns of suspicious behaviour is in place.

SIEM has excellent visibility, high coverage of assets (sources) and logs from other security security solutions are captured by the SIEM.

Logs are stored for at least 18 months retention period or to meet regulatory requirements

Incident response plan, processes and technical capabilities are regularly tested.
Link
29 Host-based intrusion detection/prevention system The entity does not have a Host-based intrusion detection/prevention system (HIDS/HIPS). The entity has commenced configuring Host-based intrusion detection/prevention system (HIDS/HIPS).

The system may be able to identify anomalous behaviour during program execution, but may not be configured to block it.
The entity has configured Host-based intrusion detection/prevention system (HIDS/HIPS) to identify anomalous behaviour.

HIDS/HIPS may be configured aggressively for the operating environment resulting in a high volume of false positives impacting user experience and may impact cyber security incident response teams.
The entity has configured Host-based intrusion detection/prevention system (HIDS/HIPS) to identify anomalous behaviour.

HIDS/HIPS may be configured appropriately for the operating environment providing minimum impact to user experience and supports cyber security incident response teams.
Link
30 Endpoint detection and response software The entity does not use Endpoint Detection and Response (EDR) software. The entity has commenced deployment of Endpoint detection and response (EDR) software to capture system behaviour logs and other telemetry metadata. The entity has deployed Endpoint detection and response (EDR) software to most computers to capture system behaviour logs and other telemetry metadata.

EDR software generates enough useful data to enable cyber security incidents to be identified, without causing too many false positives.
The entity has deployed Endpoint detection and response (EDR) software to all computers to capture system behaviour logs and other telemetry metadata.

EDR software generates enough useful data to enable cyber security incidents to be identified, without causing too many false positives.

EDR enables investigation and response activities such as rapidly analysing multiple computers seamlessly, blocking specific network communication attempts and isolating a compromised computer from the network.
Link
31 Hunt to discover incidents The entity does not have the capability or an approach to hunt for incidents. The entity has initiated threat hunting activities based on knowledge of adversary tradecraft.

The entity may leverage Indicators of compromise and threat intelligence to discover incidents.
The entity performs threat hunting activities based on knowledge of adversary tradecraft.

The entity will leverage Indicators of compromise and threat intelligence to discover incidents.
The entity proactively performs threat hunting activities based on knowledge of adversary tradecraft.

The entity will leverage Indicators of compromise and threat intelligence to discover incidents, however will focus on detecting strategy, tactics, techniques, procedures that are outside of known threats.
Link
32 Network-based intrusion detection/prevention system The entity does not have a Network-based intrusion detection/prevention system (NIDS/NIPS). The entity has commenced configuring network-based intrusion detection/prevention system (NIDS/NIPS). The system may be able to identify anomalous network traffic, but may not be configured to block it. The entity has configured Network-based intrusion detection/prevention system (NIDS/NIPS) to identify anomalous network behaviour.

NIDS/NIPS may be configured aggressively for the operating environment resulting in a high volume of false positives impacting user experience and may impact cyber security incident response teams.
The entity has configured Network-based intrusion detection/prevention system (NIDS/NIPS) to identify anomalous behaviour.

NIDS/NIPS may be configured appropriately for the operating environment providing minimum impact to user experience and supports cyber security incident response teams.
Link
33 Capture network traffic The entity does not capture Network traffic to perform incident detection and analysis. The entity captures network traffic to create summaries or Metadata of traffic statistics.

The summaries of metadata may identify general network patterns, but may not be sufficient to enable incident detection and analysis.
The entity captures network traffic on incoming and outgoing network traffic without focusing on critical assets storing sensitive data. This enables the entity to perform incident detection and analysis.

Summaries or metadata of traffic statistics may support incident detection and analysis.
The entity captures network traffic on incoming and outgoing network traffic focusing on critical assets storing sensitive data and also traffic traversing network perimeter. This enables the entity to perform incident detection and analysis.

Summaries or metadata of traffic statistics may support incident detection and analysis.
Link

Recover Data and System Availability

Control Strategy Not Started In-Progress Implemented With Issues Implemented and Monitoring ACSC Guidance
35 Business continuity and disaster recovery plans The entity does not have Business Continuity or Disaster Recovery Plans. The entity has developed Business Continuity and Disaster Recovery.

The entity has not tested Business Continuity or Disaster Recovery Plans for greater than one year.
The entity has developed Business Continuity and Disaster Recovery plans.

The entity has tested Business Continuity or Disaster Recovery Plans within the past year.
The entity has developed robust Business Continuity and Disaster Recovery plans that focus on critical systems and data. The plans are updated on an annual basis or when significant changes to ICT systems occur.

The entity has tested Business Continuity or Disaster Recovery Plans within the past year. Test results or lessons learnt from enacting plans are captured and used to improve existing plans.
Link
36 System recovery capabilities The entity has limited capabilities to restore operations from significant system failures. The entity has some capability to restore operations from significant system failures, however processes or systems are manual.

The entity's Third-party contractors/suppliers does not provide timely responses or service levels to meet Business Continuity requirements.
The entity has capability to restore operations from significant system failures.

Processes are semi-automated or consistent to enable timely recovery. The entity may deploy snapshots, Operating System deployment solutions or enterprise mobility to aid in recovery activities.

The entity's Third-party contractors/suppliers provides timely responses or service levels to meet Business Continuity requirements.
The entity has robust capabilities to restore operations from significant system failures and regularly tests system recovery capabilities.

Processes are automated/semi-automated or consistent to enable timely recovery. The entity may deploy snapshots, Operating System deployment solutions or enterprise mobility to aid in recovery activities.

The entity's Third-party contractors/suppliers provides timely responses or service levels to meet Business Continuity requirements.
Link

Preventing Malicious Insiders

Control Strategy Not Started In-Progress Implemented With Issues Implemented and Monitoring ACSC Guidance
37 Personnel management The entity does not perform pre-employment checks or have processes to manage user access. The entity performs pre-employment checks and have ad-hoc processes to manage user access. The entity performs pre-employment checks and has ongoing vetting for privileged access.

The entity has robust process to manage user access including disabling user accounts in a timely manner after.
The entity performs pre-employment checks and has ongoing vetting for privileged access.

The entity has robust process to manage user access including disabling user accounts in a timely manner after.

The entity has programs in place to remind users of security obligations and promotes education that minimises malicious intent.
Link