Annual Implementation Report¶
This page has been designed to accompany the 2024 WA Cyber Security Policy Annual Implementation Report Template and provides additional guidance for assessors when answering questions in the provided template. The CSU requires that WA Government entities report against the August 2023 (first published in November 2022) for AIR reporting. This represents the 2022 maturity model.
Cyber Security Policy¶
This section provides guidance for the sheet 2. Cyber Security Policy.
1. Govern¶
| ID | No | Yes |
|---|---|---|
| 1.1.1 | The entity does not have a cybersecurity/information security policy, or the entity does have a cybersecurity/information security policy, but it does not clearly outline the responsibilities of the Accountable Authority and the allocation of executive responsibility for cybersecurity. | The entity has a cybersecurity/information security policy that clearly outlines the responsibilities of the Accountable Authority and the allocation of executive responsibility for cybersecurity. |
| ID | Not Started | Implementation in Progress | Implemented with Issues | Implemented and Monitoring |
|---|---|---|---|---|
| 1.4.1 | The entity has not yet begun to implement cyber security governance to align with its business strategies and risk management objectives. | The entity is currently in the process of implementing cyber security governance to align with its business strategies and risk management objectives. | The entity has implemented cyber security governance to align with its business strategies and risk management objectives, but there are ongoing issues that need to be addressed. | The entity has fully implemented cyber security governance to align with its business strategies and risk management objectives, and it is actively monitoring the effectiveness of these measures. |
| 1.5.1 | The entity does not manage or govern risks associated with data offshoring, which is not in alignment with WA Government policies. It has not conducted a comprehensive and rigorous risk assessment process or obtained written endorsement from the Director General or Chief Executive Officer for any business case. | The entity has begun to manage and govern risks associated with data offshoring, in alignment with WA Government policies. It is in the process of conducting comprehensive and rigorous risk assessments and seeking written endorsement from the Director General or Chief Executive Officer for each business case, but this process is not yet fully completed. | The entity is managing and governing risks associated with data offshoring in alignment with WA Government policies, but there are issues with policy implementation. These issues may include incomplete risk assessments, delays in obtaining written endorsements from the Director General or Chief Executive Officer, or challenges in confidently managing the behaviour of offshore partners. | The entity is fully managing and governing risks associated with data offshoring in alignment with WA Government policies. It conducts comprehensive and rigorous risk assessments, obtains written endorsement from the Director General or Chief Executive Officer for each business case, and confidently manages the behaviour of offshore partners. The entity is actively monitoring the effectiveness of these processes and making necessary adjustments. |
| 1.5.2 | The entity has not yet implemented or aligned with the Western Australian Information Classification Policy. It does not clearly and consistently identify the sensitivity of its information, apply appropriate protective security measures, or communicate the sensitivity of information within the agency, with other agencies, and third-party organisations. | The entity is in the process of implementing and aligning with the Western Australian Information Classification Policy, but it has not yet been fully completed. Efforts are underway to clearly and consistently identify the sensitivity of information, apply appropriate protective security measures, and communicate the sensitivity of information within the agency, with other agencies, and third-party organisations. | The entity has implemented the Western Australian Information Classification Policy, but there are ongoing issues that need to be addressed. These issues may include inconsistencies in identifying the sensitivity of information, gaps in applying protective security measures, or challenges in communicating the sensitivity of information within the agency, with other agencies, and third-party organisations. | The entity has fully implemented the Western Australian Information Classification Policy and is actively monitoring its effectiveness. It clearly and consistently identifies the sensitivity of its information, applies appropriate protective security measures, and effectively communicates the sensitivity of information within the agency, with other agencies, and third-party organisations. |
| 1.6.1 | The entity has not yet implemented secure disposal processes for devices, computers, or media that hold digital information. | The entity is currently developing secure disposal processes for devices, computers, and media that hold digital information. This includes establishing requirements for secure disposal, such as media sanitisation or destruction techniques, and assessing vendors that could be partnered with to manage the disposal of digital media. | The entity has established secure disposal processes for devices, computers, and media that hold digital information, including secure disposal methods such as media sanitisation or destruction techniques; however, it does not ensure vendor compliance with certifications, or there are inconsistencies in following these processes. | The entity has fully established secure disposal processes for devices, computers, and media that hold digital information, including secure disposal methods such as media sanitisation or destruction techniques. It ensures vendor compliance with certifications and follows these processes fully, actively monitoring their effectiveness and making necessary adjustments. |
| 1.7.1 | The entity has not yet implemented vulnerability management governance. It does not identify assets, triage and prioritise vulnerabilities, own the risk of not updating, or verify and regularly review vulnerability management processes. | The entity is in the process of implementing vulnerability management governance, but it has not yet been fully completed. Efforts are underway to identify assets, triage and prioritise vulnerabilities, owning the risk of not updating, and establish processes to verify and regularly review vulnerability management. | The entity has implemented vulnerability management governance, including identifying assets, triaging and prioritising vulnerabilities, owning the risk of not updating, and verifying and regularly reviewing vulnerability management processes. However, there are ongoing issues such as incomplete asset identification, inconsistent prioritisation, or gaps in the review process that need to be addressed. | The entity has fully implemented vulnerability management governance. It consistently identifies assets, triages and prioritises vulnerabilities, owns the risk of not updating, and verifies and regularly reviews vulnerability management processes. The entity is actively monitoring the effectiveness of these processes and making necessary adjustments. |
| 1.8.1 | The entity does not have a mechanism in place for the public to report vulnerabilities. | The entity is currently developing a mechanism for the public to report vulnerabilities. | The entity has an established mechanism for the public to report vulnerabilities; however, it does not respond to or addresses vulnerabilities in a timely manner. | The entity has an established reporting mechanism in place, and action is taken in a timely manner to remediate vulnerabilities. To establish a Vulnerability Disclosure Policy, use the example found at www.wa.gov.au Vulnerability Disclosure Policy, or implement a security.txt file based on RFC 9116. This provides clear guidelines and a standardised method for the public to report vulnerabilities. |
| 1.9.1 | The entity does not have governance in place to monitor and review whole-of-government cybersecurity advice or directives issued by the GCIO. It does not utilise methods such as emails, advisories, Cyber Security Working Group (CSWG) updates, or SOC reports provided by DGov and GCIO to stay informed. | The entity is in the process of establishing governance to monitor and review whole-of-government cybersecurity advice or directives issued by the GCIO, but it has not yet been fully completed. Efforts are underway to incorporate methods such as emails, advisories, CSWG updates, and SOC reports provided by DGov and GCIO to stay informed. | The entity has established governance to monitor and review whole-of-government cybersecurity advice or directives issued by the GCIO, but there are ongoing issues that need to be addressed, or the entity does not consistently act on the advice. There may be inconsistencies in utilising methods such as email, advisories, CSWG updates, and SOC reports provided by DGov and GCIO to stay informed. | The entity has fully established governance to monitor and review whole-of-government cybersecurity advice or directives issued by the GCIO, and is actively monitoring its effectiveness and acting on the advice. It consistently utilises methods such as emails, advisories, CSWG updates, and SOC reports provided by DGov and GCIO to stay informed. |
| 1.9.3 | The entity does not consider threat intelligence and advice provided by DGov in its operations. It does not utilise methods such as SOC advisories, emails, or working groups provided by DGov CSU to stay informed. | The entity is in the process of integrating threat intelligence and advice provided by DGov into its operations, but this process is not yet fully completed. Efforts are underway to incorporate methods such as SOC advisories, emails, and working groups provided by DGov CSU to stay informed. | The entity has integrated threat intelligence and advice provided by DGov into its operations, but there are ongoing issues that need to be addressed, or the entity does not consistently act on this intelligence and advice. There may be inconsistencies in utilising methods such as SOC advisories, emails, and working groups provided by DGov CSU to stay informed. | The entity has fully integrated threat intelligence and advice provided by DGov into its operations, and is actively monitoring its effectiveness and making necessary adjustments. It consistently utilizes methods such as SOC advisories, emails, and working groups provided by DGov CSU to stay informed. |
2. Identify¶
| ID | Not Started | Implementation in Progress | Implemented with Issues | Implemented and Monitoring |
|---|---|---|---|---|
| 2.1.1A | The entity does not track or maintain an inventory of devices, servers, and other ICT equipment. | The entity currently has an incomplete inventory of devices, servers, and other ICT equipment, and is in the process of finalising it. | The entity has established inventories of devices, servers, and other ICT equipment, but they are not actively maintained. | The entity actively maintains an inventory of devices, servers, and other ICT equipment. |
| 2.1.1B | The entity does not track or maintain an inventory of application systems and servers in use. | The entity currently has an incomplete inventory of application systems and servers in use, and is in the process of finalising it. | The entity has an established inventory of application systems and servers, but it is not maintained. | The entity actively maintains an inventory of application systems and servers. |
| 2.1.1C | The entity does not track or maintain an inventory of critical databases and information assets. | The entity currently has an incomplete inventory of critical databases and information assets, and is in the process of finalising it. | The entity has an inventory of critical databases and information assets, but it is not regularly maintained. | The entity actively maintains an inventory of critical databases and information assets. |
| 2.1.1D | The entity does not track or maintain an inventory of any relevant personnel and third-party providers. | The entity currently has an incomplete inventory of any relevant personnel and third-party providers, and is in the process of finalising it. | The entity has an inventory of any relevant personnel and third-party providers, but it is not regularly maintained. | The entity actively maintains an inventory of any relevant personnel and third-party providers. |
| 2.1.1E | The entity does not track or maintain an inventory of any social media applications or accounts owned within the entity. | The entity currently has an incomplete inventory of any social media applications or accounts owned within the entity, and is in the process of finalising it. | The entity has an inventory of any social media applications or accounts owned within the entity, but it is not regularly maintained. | The entity actively maintains an inventory of social media applications or accounts owned within the entity. |
| 2.1.1F | The entity does not track or maintain an inventory of system dependencies and related risks. | The entity currently has an incomplete inventory of system dependencies and related risks, and is in the process of finalising it. | The entity has an inventory of system dependencies and related risks, but it is not regularly maintained. | The entity actively maintains an inventory of system dependencies and related risks. |
| 2.1.1G | The entity does not track or maintain an inventory of its anticipated future cybersecurity needs. | The entity currently has an incomplete inventory of its anticipated future cybersecurity needs and is in the process of finalising it. | The entity has an inventory of its anticipated future cybersecurity needs, but it is not regularly maintained. | The entity actively maintains an inventory of its anticipated future cybersecurity needs. |
| 2.1.1.H | The entity does not track or maintain an inventory of any relevant legal and regulatory requirements. | The entity currently has an incomplete inventory of any relevant legal and regulatory requirements, and is in the process of finalising it. | The entity has an inventory of any relevant legal and regulatory requirements, but it is not regularly maintained. | The entity actively maintains an inventory of relevant legal and regulatory requirements. |
| 2.2.3 | The entity does not have a cyber security risk management strategy or roadmap in place or has an ad-hoc approach to reducing cyber security risk within the entity. | The entity is in the process of developing and implementing a cyber security risk management strategy or roadmap. | The entity has implemented a cyber security risk management strategy, but there are ongoing issues that need to be addressed, or the strategy is not consistently applied. | The entity has approved a cyber security risk management strategy updated in the last year, has established a risk management program, and tracks progress using a treatment action plan. |
3. Protect¶
| ID | Not Started | Implementation in Progress | Implemented with Issues | Implemented and Monitoring |
|---|---|---|---|---|
| 3.2.1 | The entity does not have cyber security training and awareness processes in place for staff. | The entity is in the process of establishing cyber security training and awareness processes. Currently, it provides ad-hoc training and awareness for staff but does not offer targeted or specialised education for users with privileged access or positions of authority/trust. | The entity has implemented cyber security training and awareness processes, providing regular training for staff/users that focuses on influencing user behaviour. However, it only provides ad-hoc targeted or specialised education for users with privileged access or positions of authority/trust, indicating ongoing issues that need to be addressed. | The entity has fully implemented structured cyber security training and awareness processes for staff/users, focusing on influencing user behaviour and measuring improvement. It also provides regular targeted or specialised education for users with privileged access or positions of authority/trust, and is actively monitoring the effectiveness of these processes and making necessary adjustments. |
| 3.3.1A | The entity does not have the capability to monitor and manage corporate issued mobile devices or harden applications residing on them from cyber security threats. | The entity is in the process of establishing capabilities to monitor and manage corporate issued mobile devices and harden applications residing on them from cyber security threats, but this process is not yet fully completed. | The entity has established capabilities to monitor and manage corporate issued mobile devices and harden applications residing on them from cyber security threats, but there are ongoing issues that need to be addressed, or the capabilities are not consistently applied. | The entity has fully established capabilities to monitor and manage corporate issued mobile devices and harden applications residing on them from cyber security threats, and is actively monitoring their effectiveness and making necessary adjustments. |
| 3.3.1B | The entity does not have the capability to monitor and manage corporate issued mobile devices during overseas business travel or harden applications residing on them from cyber security threats. | The entity is in the process of establishing capabilities to monitor and manage corporate issued mobile devices during overseas business travel and harden applications residing on them from cyber security threats, but this process is not yet fully completed. | The entity has established capabilities to monitor and manage corporate issued mobile devices during overseas business travel and harden applications residing on them from cyber security threats, but there are ongoing issues that need to be addressed, or the capabilities are not consistently applied. | The entity has fully established capabilities to monitor and manage corporate issued mobile devices during overseas business travel and harden applications residing on them from cyber security threats, and is actively monitoring their effectiveness and making necessary adjustments. |
| 3.3.1C | The entity does not have the capability to monitor and manage privately owned mobile devices accessing organisational resources or harden applications residing on them from cyber security threats. | The entity is in the process of establishing capabilities to monitor and manage privately owned mobile devices accessing organisational resources and harden applications residing on them from cyber security threats, but this process is not yet fully completed. | The entity has established capabilities to monitor and manage privately owned mobile devices accessing organisational resources and harden applications residing on them from cyber security threats, but there are ongoing issues that need to be addressed, or the capabilities are not consistently applied. | The entity has fully established capabilities to monitor and manage privately owned mobile devices accessing organisational resources and harden applications residing on them from cyber security threats, and is actively monitoring their effectiveness and making necessary adjustments. |
| 3.3.1D | The entity does not have the capability to monitor and manage privately owned mobile devices accessing organisational resources during overseas business travel or harden applications residing on them from cyber security threats. | The entity is in the process of establishing capabilities to monitor and manage privately owned mobile devices accessing organisational resources during overseas business travel and harden applications residing on them from cyber security threats, but this process is not yet fully completed. | The entity has established capabilities to monitor and manage privately owned mobile devices accessing organisational resources during overseas business travel and harden applications residing on them from cyber security threats, but there are ongoing issues that need to be addressed, or the capabilities are not consistently applied. | The entity has fully established capabilities to monitor and manage privately owned mobile devices accessing organisational resources during overseas business travel and harden applications residing on them from cyber security threats, and is actively monitoring their effectiveness and making necessary adjustments. |
| 3.4.1 | The entity does not have processes in place to manage cyber security risks associated with third party vendors, and these risks are not addressed within procurement contracts or tracked through service level agreements. | The entity is in the process of establishing processes to manage cyber security risks associated with third party vendors. Some initial steps have been taken to include these risks within procurement contracts, but progress is not yet fully tracked through service level agreements. | The entity has established processes to manage cyber security risks associated with third party vendors, and these risks are included within procurement contracts. However, there are ongoing issues with tracking progress through service level agreements, or the processes are not consistently applied. | The entity has fully implemented processes to manage cyber security risks associated with third party vendors. These risks are comprehensively addressed within procurement contracts, and progress is actively tracked through service level agreements, with regular monitoring and necessary adjustments being made. |
| 3.5.1 | The entity does not have processes in place to manage or track the security of physical assets. | The entity is in the process of establishing processes to manage and track the security of physical assets, but these processes are not yet fully completed or consistently applied. | The entity has implemented processes to manage and track the security of physical assets, but there are ongoing issues that need to be addressed, or the processes are not consistently applied. | The entity has fully implemented processes to manage and track the security of physical assets and is actively monitoring their effectiveness and making necessary adjustments. |
| 3.6.1A | The entity does not have processes in place for the appropriate management of the user lifecycle that supports Personnel Management. | The entity is in the process of establishing processes for the appropriate management of the user lifecycle that supports Personnel Management, but this process is not yet fully completed. | The entity has established processes for the appropriate management of the user lifecycle that supports Personnel Management, but there are ongoing issues that need to be addressed, or the processes are not consistently applied. | The entity has fully established processes for the appropriate management of the user lifecycle that supports Personnel Management and is actively monitoring their effectiveness and making necessary adjustments. |
| 3.6.1B | The entity does not follow the principle of least privilege when providing access. | The entity started to follow the principle of least privilege when providing access, but it is not yet fully implemented. | The entity follows the principle of least privilege when providing access, but there are inconsistencies or issues that need to be resolved. | The entity fully follows the principle of least privilege when providing access and is actively monitoring and adjusting as needed and in alignment with Essential Eight Restrict Administrative Privileges and Personnel Management (DGov Further 5 Strategies) guidance. |
| 3.6.1C | The entity does not have a password filtering solution for all users across all systems. | The entity is in the process of implementing a password filtering solution for all users across all systems, but it is not yet fully enforced. | The entity has implemented a password filtering solution for all users across all systems, but there are ongoing issues that need to be addressed. | The entity has fully implemented a password filtering solution for all users across all systems and is actively monitoring its effectiveness and making necessary adjustments. |
| 3.6.1D | The entity is not aligned with principles mentioned in the WA Government Authentication Guidelines. | The entity is working towards alignment with principles mentioned in the WA Government Authentication Guidelines, but it is not yet fully achieved. | The entity is aligned with principles mentioned in the WA Government Authentication Guidelines, but there are issues that need to be resolved or inconsistencies. | The entity is fully aligned with the principles mentioned in the WA Government Authentication Guidelines and is actively monitoring compliance and making necessary adjustments. |
| 3.6.1F | The entity has not implemented improvements in networking controls. | The entity is in the process of improving networking controls, but these improvements are not yet fully implemented. | The entity has improved networking controls, but there are ongoing issues that need to be addressed or inconsistencies. | The entity has fully implemented improvements in networking controls and is actively monitoring their effectiveness and making necessary adjustments. |
| 3.7.1 | The entity does not have cyber security insurance that covers either first-party losses/expenses incurred by the organisation due to a cyber security incident or third-party liability claims against the organisation due to a cyber security incident. | The entity is in the process of obtaining cyber security insurance. Currently, it may have partial coverage or is negotiating terms for first-party coverage for losses/expenses incurred by the organisation due to a cyber security incident and third-party coverage for liability claims against the organisation due to a cyber security incident, but the process is not yet fully completed. | The entity has obtained cyber security insurance that includes both first-party coverage for losses/expenses incurred by the organisation due to a cyber security incident and third-party coverage for liability claims against the organisation due to a cyber security incident. However, there are ongoing issues with the coverage, such as gaps in the policy, limitations, or inconsistencies in claims processing. | The entity has fully obtained comprehensive cyber security insurance that covers both first-party losses/expenses incurred by the organisation due to a cyber security incident and third-party liability claims against the organisation due to a cyber security incident. The entity is actively monitoring the insurance coverage and making necessary adjustments to ensure it meets the organisation's needs. |
4. Detect¶
| ID | Not Started | Implementation in Progress | Implemented with Issues | Implemented and Monitoring |
|---|---|---|---|---|
| 4.1.1 | The entity does not log network events on endpoints (workstations and laptops). | The entity is in the process of establishing logging of network events on endpoints (workstations and laptops), but this process is not yet fully completed. | The entity logs network events on endpoints (workstations and laptops), but there are ongoing issues with the logging process, such as incomplete logs or inconsistencies in capturing events. | The entity fully logs network events on endpoints (workstations and laptops) and is actively monitoring the logs for accuracy and making necessary adjustments. |
| 4.1.2 | The entity does not log command line processes on endpoints (workstations and laptops). | The entity is in the process of establishing logging of command line processes on endpoints (workstations and laptops), but this process is not yet fully completed. | The entity logs command line processes on endpoints (workstations and laptops), but there are ongoing issues with the logging process, such as incomplete logs or inconsistencies in capturing processes. | The entity fully logs command line processes on endpoints (workstations and laptops) and is actively monitoring the logs for effectiveness and making necessary adjustments. |
| 4.1.3 | The entity does not capture email events and URLs in its SIEM. | The entity is in the process of establishing the capture of email events and URLs in its SIEM, but this process is not yet fully completed. | The entity captures email events and URLs in its SIEM, but there are ongoing issues with the capture process, such as incomplete data or inconsistencies in capturing events. | The entity fully captures email events and URLs in its SIEM and is actively monitoring the capture process for effectiveness and making necessary adjustments. |
| 4.1.4 | The entity does not capture identity events (logons and group/role changes) in its SIEM. | The entity is in the process of establishing the capture of identity events (logons and group/role changes) in its SIEM, but this process is not yet fully completed. | The entity captures identity events (logons and group/role changes) in its SIEM, but there are ongoing issues with the capture process, such as incomplete data or inconsistencies in capturing events. | The entity fully captures identity events (logons and group/role changes) in its SIEM and is actively monitoring the capture process for effectiveness and making necessary adjustments. |
| 4.1.7 | The entity does not have the capability to review adverse events within 24 hours or report potential cyber security events. | The entity is in the process of establishing the capability to review adverse events within 24 hours and report potential cyber security events, but this process is not yet fully completed. | The entity has the capability to review adverse events within 24 hours and report potential cyber security events, but there are ongoing issues such as delays in the reporting process or incomplete event reviews. | The entity has fully established the capability to review adverse events within 24 hours and report potential cyber security events, and is actively monitoring the effectiveness of these processes and making necessary adjustments. |
| 4.1.8 | The entity does not have an understanding of the potential impact of adverse events. | The entity is in the process of developing an understanding of the potential impact of adverse events, but this understanding is not yet fully developed or consistently applied. | The entity has an understanding of the potential impact of adverse events, but there are ongoing issues such as gaps in risk assessment or inconsistent application of this understanding across the entity. | The entity has a comprehensive understanding of the potential impact of adverse events and is actively monitoring and updating this understanding as needed. |
| 4.1.9 | The entity does not have processes in place to share threat intelligence with DGov within 24 hours of acquiring it. | The entity is in the process of establishing processes to share threat intelligence with DGov within 24 hours of acquiring it, but these processes are not yet fully completed. | The entity has processes in place to share threat intelligence with DGov within 24 hours of acquiring it, but there are ongoing issues such as delays in communication or incomplete sharing of intelligence. | The entity has fully implemented processes to share threat intelligence with DGov within 24 hours of acquiring it and is actively monitoring the effectiveness of these processes and making necessary adjustments. |
| 4.2.1 | The entity has not implemented a Security Information and Event Management (SIEM) system. | The entity is in the process of implementing a Security Information and Event Management (SIEM) system, but this process is not yet fully completed. | The entity has implemented a Security Information and Event Management (SIEM) system, but there are ongoing issues such as incomplete integration with existing systems, frequent false positives, or insufficient staff training to effectively use the system. | The entity has fully implemented a Security Information and Event Management (SIEM) system and is actively monitoring its effectiveness, making necessary adjustments to ensure optimal performance. |
| 4.5.1 | The entity has not implemented the guidance under "Baseline for Detection Coverage (MITRE ATT&CK)". It does not have processes in place for telemetry collection and detection analytics aligned to the MITRE ATT&CK framework. | The entity is in the process of implementing telemetry collection and detection analytics aligned to the MITRE ATT&CK framework, but this process is not yet fully completed. | The entity has implemented the guidance under "Baseline for Detection Coverage (MITRE ATT&CK)", but there are gaps in data sources, telemetry sensors, detection assets, and analytics guidance. A checklist has been created and undertaken to calculate the percentage of assets for a given retention log window, but reviews are not performed regularly. | The entity has fully implemented the guidance under "Baseline for Detection Coverage (MITRE ATT&CK)", which covers data sources, telemetry sensors, detection assets, and analytics guidance. A checklist has been created and undertaken to calculate the percentage of assets for a given retention log window, and assessments are performed regularly to ensure ongoing alignment and effectiveness. |
5. Respond¶
| ID | Not Started | Implementation in Progress | Implemented with Issues | Implemented and Monitoring |
|---|---|---|---|---|
| 5.1.1 | The entity does not have an Incident Response Plan for cyber incidents. | The entity has developed an Incident Response Plan for cyber incidents, but it has not tested the plan for greater than one year. | The entity has developed an Incident Response Plan for cyber incidents and has tested the plan within the past year. However, there may be issues such as incomplete testing or gaps in the plan that need to be addressed. | The entity has developed robust Incident Response Plans for cyber incidents, which may include "playbooks" for common cyber threats. The plans are updated on an annual basis or when significant changes to ICT systems occur. The entity has tested the Incident Response Plan within the past year, and test results or lessons learned from enacting the plans are captured and used to improve existing plans. |
| 5.1.4 | The entity does not respond to security alerts. It lacks the capability to triage and develop an appropriate timely response to cyber security incidents. | The entity is developing capabilities to respond to security alerts or is ad-hoc in its approach to responding to security alerts. Efforts are underway to establish processes for triaging and developing timely responses to cyber security incidents, but these processes are not yet fully completed. | The entity has capabilities to respond to security alerts and has developed repeatable processes for security operations staff to respond to security alerts. However, there are ongoing issues such as inconsistencies in response times or gaps in the triage process that need to be addressed. | The entity has robust capabilities to respond and triage security alerts in a timely manner. It has fully developed and implemented processes for responding to cyber security incidents and is actively monitoring the effectiveness of these processes, making necessary adjustments to ensure timely and appropriate responses. |
6. Recover¶
| ID | Not Started | Implementation in Progress | Implemented with Issues | Implemented and Monitoring |
|---|---|---|---|---|
| 6.1.2 | The entity does not have a Business Continuity or Incident Management Plan, and no Recovery Time Objectives or Maximum Tolerable Outage timeframes are defined. | The entity is in the process of implementing a Business Continuity Plan or Incident Management Plan. The entity defined timeframes for Recovery Time Objectives or Maximum Tolerable Outage but has not tested response times yet to ensure alignment with these timeframes. | The entity has implemented a Business Continuity Plan or Incident Management Plan. Entity tested the restoration timeframes for Recovery Time Objectives or Maximum Tolerable Outage, but there are gaps in the organisation's preparedness such as not consulting with business owners on an annual basis to ensure these timeframes meet business needs, or lessons learnt have not been reviewed and included to improve process and future reponses. | The entity has a Business Continuity Plan or Incident Management Plan. The entity has tested the restoration timeframes for Recovery Time Objectives or Maximum Tolerable Outage, confirming timeframes are met and consulting with business owners on an annual basis. Lessons learned are captured and used to improve process and future responses. |
ACSC Strategies¶
This section provides guidance for the sheet 5. Strategies to Mitigate.
The ACSC strategies to Mitigate Cyber Security Incidents are ranked in effectiveness of implementation based on the following terms. A maturity assessment tool for each strategy has been provided below with general guidance to enable assessors to determine the agency's implementation of the strategy.
| Option | Description |
|---|---|
| 1. Not Applicable |
|
| 2. Not started |
|
| 3. In Progress |
|
| 4. Implemented with Issues |
|
| 5. Implemented and Monitoring |
|
Prevent Malware Delivery and Execution¶
| Control | Strategy | Not Started | In-Progress | Implemented With Issues | Implemented and Monitoring | ACSC Guidance |
|---|---|---|---|---|---|---|
| 5 | Automated dynamic analysis of email and web content run in a sandbox | The entity has not deployed sandbox analysis of inbound email or web content. | The entity has deployed a sandbox analysis solution for inbound email and/or web content that is not fully functional or in audit/passive only mode. | The entity has deployed a sandbox analysis solution for inbound email and/or web content but it uses untuned rule-sets, excessive bypass lists or does not receive timely vendor intelligence definitions. | The Entity has deployed a sandbox analysis solution for inbound email and web content. The solution has finely tuned rule-sets, minimal bypass lists, receives regular vendor intelligence definitions. | link |
| 6 | Email content filtering | The entity does not perform content filtering of inbound email. | The entity has deployed an email content filtering solution is present that is not finely tuned or left as system defaults for inspection of email content types including file attachments, hyperlinks or is configured in audit/passive mode only. | The Entity has deployed an email content filtering solution and has fine tuned configuration for inspection of email content types, however rulesets are overly permissive. Content which cannot be scanned is not blocked. |
The entity has deployed an email content filtering solution that has fine tuned and robust rulesets configured capturing all inbound mail and the inspection of hyperlinks and attachments. Filtering solution receives regular vendor intelligence definitions. Content that cannot be scanned is blocked/quarantined. Inbound mail is blocked if the external sender address is the same as the internal domain. |
Link |
| 7 | Web content filtering | The entity does not perform filtering of web content. | The entity deploys web content filtering is available but not all traffic is subject to filtering or rules are overly submissive. HTTPS traffic is not filtered. | The entity deploys web content filtering for most for HTTP and HTTPs traffic. Filtering rules restrict access to uncategorised, web advertisement, anonymity services, free and anonymous domains used by adversaries. Access to websites via IP address is blocked. | The entity deploys web content filtering for all HTTP and HTTPs traffic. Filtering rules restrict access to uncategorised, web advertisement, anonymity services, free and anonymous domains used by adversaries. Access to websites via IP address is blocked. Filtering rules restrict access to malicious executables, Flash/ActiveX/Java content and Microsoft Office files containing macros. Vendor intelligence definitions are updated regularly. | Link |
| 8 | Deny corporate computers direct internet connectivity | The entity's perimeter firewall is configured to allow corporate computers direct internet access. | The entity's perimeter firewall is configured to only allow corporate computers outbound access to approved ports and protocols including HTTP and HTTPS. | The entity's perimeter firewall is configured to only allow corporate computers outbound access to approved ports and protocols. Corporate Computers outbound internet traffic for HTTP and HTTPS is routed via a proxy. |
The entity's perimeter firewall is configured to only allow corporate computers outbound access to approved ports and protocols. Corporate Computers outbound internet traffic for HTTP and HTTPS is routed via an authenticated proxy. Servers are restricted from browsing the internet and accessing email services." |
Link |
| 9 | Operating system generic exploit mitigation | The entity deploys operating systems with default exploit mitigation settings enabled. The entity has Windows 32-bit operating systems present. |
The entity deploys operating systems with default exploit mitigation settings enabled. The entity only has Windows 64-bit operating systems present. |
The entity deploys operating systems with Data Execution Prevention, Address Space Layout Randomisation or Enhanced Mitigation Experience Toolkit rules configured on some machines. The entity only has Windows 64-bit operating systems present. Linux operating systems are deployed with Security-Enhanced Linux (SELinux). |
The entity deploys operating systems with Data Execution Prevention, Address Space Layout Randomisation or Enhanced Mitigation Experience Toolkit rules configured all machines. The entity only has Windows 64-bit operating systems present. Linux operating systems are deployed with Security-Enhanced Linux (SELinux). |
Link |
| 10 | Server application hardening | The entity has not assessed or applied Server Application Hardening controls. Default installations may provide insecure configurations that expose server applications to cyber threats. | The entity has commenced applying Server application techniques, such as ASD Hardening for Server Applications and prioritises configurations to internet facing systems. | The entity has applied Server application techniques, such as ASD Hardening for Server Applications, data and applications that access important data. Hardening has been prioritised for internet facing systems. The entity has chosen Server Applications from vendors that have demonstrated a commitment to secure-by-design and secure-by default principles, use of memory-safe programming languages where possible, secure programming practices, and maintaining the security of their products. OWASP provides principles for Web Applications that mitigate common design. |
The entity has applied Server application techniques, such as ASD Hardening for Server Applications, data and applications that access important data. Hardening has been applied internet facing systems and non-internet facing systems. The entity has chosen Server Applications from vendors that have demonstrated a commitment to secure-by-design and secure-by default principles, use of memory-safe programming languages where possible, secure programming practices, and maintaining the security of their products. OWASP provides principles for Web Applications that mitigate common design. |
Link |
| 11 | Operating system hardening | The entity has not assessed or applied Operating System Hardening controls. Default installations may provide insecure configurations that expose Operating Systems to cyber threats. | The entity has commenced applying Operating System hardening controls. File and registry key permissions are hardened and Windows Task Scheduler, DLL search path algorithm and file extension are configured to prevent only users to execute malicious program. The entity has started disabling unneeded functionalities such as Server Message Block (SMB), Link-Local Multicast Name Resolution (LLMNR) , Web Proxy Auto-Discovery (WPAD) , RDP and AutoRun. |
The entity has applied Operating System hardening controls to most workstations using a managed Standard Operating Environment (SOE). The entity has commenced applying Operating System hardening controls to servers. File and registry key permissions are hardened and Windows Task Scheduler, DLL search path algorithm and file extension are configured to prevent only users to execute malicious program. The entity has disabled unneeded functionalities such as Server Message Block (SMB), Link-Local Multicast Name Resolution (LLMNR) , Web Proxy Auto-Discovery (WPAD) , RDP and AutoRun. |
The entity has applied Operating System hardening controls to workstations and servers using a managed Standard Operating Environment (SOE) and monitors for drifts in configuration. File and registry key permissions are hardened and Windows Task Scheduler, DLL search path algorithm and file extension are configured to prevent only users to execute malicious program. The entity has disabled unneeded functionalities such as Server Message Block (SMB), Link-Local Multicast Name Resolution (LLMNR) , Web Proxy Auto-Discovery (WPAD) , RDP and AutoRun. |
Link |
| 12 | Antivirus software using heuristics and reputation ratings | The entity does not install antivirus software to computers or gateways. | The entity has installed antivirus software to some computers that checks file's prevalence or digital signature before execution. | The entity has installed antivirus software on most computers that is configured check a file's prevalence and digital signature before execution. The entity has installed antivirus software on gateways that check a file's prevalence and digital signature before execution. |
The entity has installed antivirus software on all computers that is configured check a file's prevalence and digital signature before execution. The entity has installed antivirus software on gateway (from a different vendor than computers) that check a file's prevalence and digital signature before execution. |
Link |
| 13 | Control removable storage media and connected devices | The entity does not control removable storage media and connected devices | The entity has a robust policy and process is in place for storage media and file transfer. The entity has commenced configuration of controls to restrict access to unapproved storage media and connected devices. |
The entity has a robust policy and process is in place for storage media and file transfer. The entity has configuration of controls to restrict access to unapproved storage media and connected devices on most computers. |
The entity has a robust policy and process is in place for storage media and file transfer. The entity has configuration of controls to restrict access to unapproved storage media and connected devices on all computers. |
Link |
| 14 | Block spoofed emails | The entity does not deploy Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) OR Domain-based Message Authentication, Reporting, and Conformance (DMARC) for domains owned by the agency. | The entity has implemented SPF. The entity has not commenced configuration DKIM or DMARC. |
The entity has implemented SPF. The entity has commenced DKIM configuration against owned domains. The entity has commenced DMARC configuration and has policy set to “none” or “quarantine”. |
The entity has implemented SPF with hardfail. The entity has implemented DKIM across email infrastructure. The Entity has implemented DMARC with policy set to reject. |
Link |
| 15 | User education | The entity does not perform Training and Awareness for cyber security or information security for staff. | The entity provides ad-hoc Training and Awareness for cyber security for staff. The entity does not provide targeted or specialised education for users with privileged access or positions of authority/trust. |
The entity provides regular Training and Awareness for cyber security for staff/users that focuses on influencing user behaviour. The entity provides ad-hoc targeted or specialised education for users with privileged access or positions of authority/trust. |
The entity provides structured Training and Awareness for cyber security for staff/users that focuses on influencing user behaviour and measuring improvement. The entity provides regular targeted or specialised education for users with privileged access or positions of authority/trust. |
Link |
| 16 | Antivirus software with up-to-date signatures | The entity does not install antivirus software to computers or gateways. | The entity has signature based antivirus software from reputable vendor installed on some computers or has commenced the deployment on gateways. | The entity has signature based antivirus software from reputable vendor installed on most computers or has commenced the deployment on gateways. Antivirus software definitions update automatically. Antivirus software is configured to scan files upon opening or scanned on a regular basis. |
The entity has signature based antivirus software from reputable vendor is deployed to all computers and gateways to detect more sophisticated malware. Antivirus software definitions update automatically and regularly. Antivirus software is configured to scan files upon opening and scanned on a regular basis. |
Link |
| 17 | TLS encryption between email servers | The entity does not enable Transport Layer Security (TLS) on email servers. | The entity has commenced configuration of Transport Layer Security (TLS) on email servers for inbound or outbound email communication. | The entity has configured Transport Layer Security (TLS) for both inbound and outbound email communication to prevent legitimate emails being intercepted and subsequently leveraged for social engineering. | The entity has enforced Transport Layer Security (TLS) for both inbound and outbound email communication to prevent legitimate emails being intercepted and subsequently leveraged for social engineering. The entity configures content scanning after email traffic is decrypted as part of ""Email content Filtering"" strategy. |
Link |
Limit the Extent of Cyber Security Incidents¶
| Control | Strategy | Not Started | In-Progress | Implemented With Issues | Implemented and Monitoring | ACSC Guidance |
|---|---|---|---|---|---|---|
| 21 | Disable local administrator account | The entity does not disable local administrator accounts or set unique credentials for each computer. | The entity has commenced to disable local administrator accounts or managed credentials with a solution such as Windows Local Administrator Password Solution (LAPS) to prevent lateral movement using administrator credentials. | The entity has disabled local administrator accounts or managed credentials with a solution such as Windows Local Administrator Password Solution (LAPS) to prevent lateral movement using administrator credentials for most computers. Credentials for local administrator accounts are created uniquely and stored within Active Directory or Azure Active Directory. |
The entity has disabled local administrator accounts or managed credentials with a solution such as Windows Local Administrator Password Solution (LAPS) to prevent lateral movement using administrator credentials for most computers. Credentials for local administrator accounts are created uniquely and stored within Active Directory or Azure Active Directory. Windows LAPS is used to automatically managed Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. |
Link |
| 22 | Network segmentation | The entity does not perform network segmentation (i.e. flat network). | The entity has deployed network controls such as Virtual LANs, firewalls and access control lists that constrains devices with low assurance (e.g. BYOD and IoT). The entity has not commenced implementation of Jump boxes, Software based firewall and IPsec for servers and cloud computing infrastructure. |
The entity has deployed network controls such as Virtual LANs, firewalls and access control lists that constrains devices with low assurance (e.g. BYOD and IoT), and limited user access to network drives and data repositories based on user duties. The entity has commenced implementation of Jump boxes, Software based firewall and IPsec for servers and cloud computing infrastructure. |
The entity has deployed network controls such as Virtual LANs, firewalls and access control lists that constrains devices with low assurance (e.g. BYOD and IoT), and limited user access to network drives and data repositories based on user duties. The entity has implementation of Jump boxes, Software based firewall and IPsec for servers and cloud computing infrastructure. The entity has deployed micro-segmentation or denied traffic between computers unless required. |
Link |
| 23 | Protect authentication credentials | The entity has not assessed their environment to protect authentication credentials. | The entity has enforced strong password policies. The entity has disabled Wdigests (Setting UserLoginCredential to 0), Removed CPasswords (Group Policy Preference XML) and disabled Link-Local Multicast Name Resolution (LLMNR) to prevent password exposure over insecure channels. The entity changes default passphrases. |
The entity has enforced strong password policies and uses solutions to prevent weak passwords. The entity has disabled Wdigests (Setting UserLoginCredential to 0), Removed CPasswords (Group Policy Preference XML) and disabled Link-Local Multicast Name Resolution (LLMNR) to prevent password exposure over insecure channels. The entity changes default passphrases and uses Password Vaults to securely store credentials. The entity may have enabled Credential Guard on Windows 10 or later workstations. |
The entity has enforced strong password policies and uses solutions to prevent weak passwords. The entity has disabled Wdigests (Setting UserLoginCredential to 0), Removed CPasswords (Group Policy Preference XML) and disabled Link-Local Multicast Name Resolution (LLMNR) to prevent password exposure over insecure channels. The entity changes default passphrases and uses Password Vaults to securely store credentials. The entity has enabled Credential Guard on Windows 10/Server 2016 or later. |
Link |
| 24 | Non-persistent virtualised sandboxed environment | The entity does not use non-persistent virtualised sandboxed environments. | The entity only uses non-persistent virtualised environment is used to deny access to sensitive data for some risky activities. Examples include Microsoft Application Guard (e.g. MS Office/MS Edge). |
The entity performs approaches of inbuilt sandbox and non-persistent virtualised environment are used with issues to deny access to sensitive data for most risky activities. Examples include Microsoft Application Guard or Virtual Desktop Infrastructure with non-persistent profiles. |
The entity performs approaches of inbuilt sandbox and non-persistent virtualised environment are used with issues to deny access to sensitive data for all risky activities. Examples include Microsoft Application Guard or Virtual Desktop Infrastructure with non-persistent profiles. |
Link |
| 25 | Software-based application firewall, blocking incoming network traffic | The entity has disabled or does not configure Software-based application firewalls (e.g. Windows Firewall) to prevent incoming network connections. | The entity has commenced configuration of software-based application firewall for incoming network traffic. | The entity has configured software-based application firewall with limited rule set to block malicious and unintended incoming network traffic. | The entity has configured software-based application firewall to block malicious and unintended incoming network traffic. Rules are configured to provide maximum protect to network services and prevent unneeded/unauthorised traffic (following least privilege access principles) | Link |
| 26 | Software-based application firewall, blocking outgoing network traffic | The entity has disabled or does not configure Software-based application firewalls (e.g. Windows Firewall) to prevent outgoing network connections. | The entity has commenced configuration of software-based application firewall for outgoing network traffic. | The entity has configured software-based application firewall with limited rule set to block malicious and unintended outgoing network traffic. | The entity has configured software-based application firewall to block malicious and unintended outgoing network traffic. Rules are configured to provide the minimum levels of network activity designed for the user or system (following least privilege access principles). | Link |
| 27 | Outbound web and email data loss prevention | The entity does not deploy Data Loss Prevention solutions to identify or prevent exfiltration of sensitive organisational data. | The entity has commenced considering applying Data Loss Prevention solutions to identify or prevent exfiltration of sensitive organisational data. Sensitive Data may be identified and labelled with Data Classification Sensitivity labels, or via sensitive data patterns/keywords. Some prevention controls may limit exfiltration of sensitive data by logging or blocking access to unapproved cloud computing services including personal webmail. |
The entity has configured Data Loss Prevention solutions to identify or prevent exfiltration of sensitive organisational data. Sensitive Data is identified and labelled with Data Classification Sensitivity labels, or via sensitive data patterns/keywords. Prevention controls limit exfiltration of sensitive data by logging or blocking access to unapproved cloud computing services including personal webmail. Outgoing email with sensitive data patterns, size and frequency are logged and reported. |
The entity has configured Data Loss Prevention solutions to identify and prevent exfiltration of sensitive organisational data. Sensitive Data is identified and labelled with Data Classification Sensitivity labels, or via sensitive data patterns/keywords. Prevention controls limit exfiltration of sensitive data by logging or blocking access to unapproved cloud computing services including personal webmail. Outgoing email with sensitive data patterns, size and frequency are logged and reported. |
Link |
Detect Cyber Security Incidents and Respond¶
| Control | Strategy | Not Started | In-Progress | Implemented With Issues | Implemented and Monitoring | ACSC Guidance |
|---|---|---|---|---|---|---|
| 28 | Continuous incident detection and response | Entity does not have a Security Information and Event Management (SIEM) solution. | Entity has a Security Information and Event Management (SIEM) solution to perform real-time automated aggregation and correlation of logs from multiple sources to identify patterns of suspicious behaviour is in place. SIEM has low levels of visibility, low coverage of assets (sources) or logs may be distributed in other security solutions not captured by the SIEM. SIEM Logs are stored for only 12 months. The entity has started testing Incident response plan, processes and technical capabilities. |
Entity has a Security Information and Event Management (SIEM) solution to perform real-time automated aggregation and correlation of logs from multiple sources to identify patterns of suspicious behaviour is in place. SIEM has good of visibility, high coverage of assets (sources) or logs may be distributed in other security security solutions not captured by the SIEM. Logs are stored for only 12 months. Incident response plan, processes and technical capabilities are not regularly tested. |
Entity has a Security Information and Event Management (SIEM) solution to perform real-time automated aggregation and correlation of logs from multiple sources to identify patterns of suspicious behaviour is in place. SIEM has excellent visibility, high coverage of assets (sources) and logs from other security security solutions are captured by the SIEM. Logs are stored for at least 18 months retention period or to meet regulatory requirements Incident response plan, processes and technical capabilities are regularly tested. |
Link |
| 29 | Host-based intrusion detection/prevention system | The entity does not have a Host-based intrusion detection/prevention system (HIDS/HIPS). | The entity has commenced configuring Host-based intrusion detection/prevention system (HIDS/HIPS). The system may be able to identify anomalous behaviour during program execution, but may not be configured to block it. |
The entity has configured Host-based intrusion detection/prevention system (HIDS/HIPS) to identify anomalous behaviour. HIDS/HIPS may be configured aggressively for the operating environment resulting in a high volume of false positives impacting user experience and may impact cyber security incident response teams. |
The entity has configured Host-based intrusion detection/prevention system (HIDS/HIPS) to identify anomalous behaviour. HIDS/HIPS may be configured appropriately for the operating environment providing minimum impact to user experience and supports cyber security incident response teams. |
Link |
| 30 | Endpoint detection and response software | The entity does not use Endpoint Detection and Response (EDR) software. | The entity has commenced deployment of Endpoint detection and response (EDR) software to capture system behaviour logs and other telemetry metadata. | The entity has deployed Endpoint detection and response (EDR) software to most computers to capture system behaviour logs and other telemetry metadata. EDR software generates enough useful data to enable cyber security incidents to be identified, without causing too many false positives. |
The entity has deployed Endpoint detection and response (EDR) software to all computers to capture system behaviour logs and other telemetry metadata. EDR software generates enough useful data to enable cyber security incidents to be identified, without causing too many false positives. EDR enables investigation and response activities such as rapidly analysing multiple computers seamlessly, blocking specific network communication attempts and isolating a compromised computer from the network. |
Link |
| 31 | Hunt to discover incidents | The entity does not have the capability or an approach to hunt for incidents. | The entity has initiated threat hunting activities based on knowledge of adversary tradecraft. The entity may leverage Indicators of compromise and threat intelligence to discover incidents. |
The entity performs threat hunting activities based on knowledge of adversary tradecraft. The entity will leverage Indicators of compromise and threat intelligence to discover incidents. |
The entity proactively performs threat hunting activities based on knowledge of adversary tradecraft. The entity will leverage Indicators of compromise and threat intelligence to discover incidents, however will focus on detecting strategy, tactics, techniques, procedures that are outside of known threats. |
Link |
| 32 | Network-based intrusion detection/prevention system | The entity does not have a Network-based intrusion detection/prevention system (NIDS/NIPS). | The entity has commenced configuring network-based intrusion detection/prevention system (NIDS/NIPS). The system may be able to identify anomalous network traffic, but may not be configured to block it. | The entity has configured Network-based intrusion detection/prevention system (NIDS/NIPS) to identify anomalous network behaviour. NIDS/NIPS may be configured aggressively for the operating environment resulting in a high volume of false positives impacting user experience and may impact cyber security incident response teams. |
The entity has configured Network-based intrusion detection/prevention system (NIDS/NIPS) to identify anomalous behaviour. NIDS/NIPS may be configured appropriately for the operating environment providing minimum impact to user experience and supports cyber security incident response teams. |
Link |
| 33 | Capture network traffic | The entity does not capture Network traffic to perform incident detection and analysis. | The entity captures network traffic to create summaries or Metadata of traffic statistics. The summaries of metadata may identify general network patterns, but may not be sufficient to enable incident detection and analysis. |
The entity captures network traffic on incoming and outgoing network traffic without focusing on critical assets storing sensitive data. This enables the entity to perform incident detection and analysis. Summaries or metadata of traffic statistics may support incident detection and analysis. |
The entity captures network traffic on incoming and outgoing network traffic focusing on critical assets storing sensitive data and also traffic traversing network perimeter. This enables the entity to perform incident detection and analysis. Summaries or metadata of traffic statistics may support incident detection and analysis. |
Link |
Recover Data and System Availability¶
| Control | Strategy | Not Started | In-Progress | Implemented With Issues | Implemented and Monitoring | ACSC Guidance |
|---|---|---|---|---|---|---|
| 35 | Business continuity and disaster recovery plans | The entity does not have Business Continuity or Disaster Recovery Plans. | The entity has developed Business Continuity and Disaster Recovery. The entity has not tested Business Continuity or Disaster Recovery Plans for greater than one year. |
The entity has developed Business Continuity and Disaster Recovery plans. The entity has tested Business Continuity or Disaster Recovery Plans within the past year. |
The entity has developed robust Business Continuity and Disaster Recovery plans that focus on critical systems and data. The plans are updated on an annual basis or when significant changes to ICT systems occur. The entity has tested Business Continuity or Disaster Recovery Plans within the past year. Test results or lessons learnt from enacting plans are captured and used to improve existing plans. |
Link |
| 36 | System recovery capabilities | The entity has limited capabilities to restore operations from significant system failures. | The entity has some capability to restore operations from significant system failures, however processes or systems are manual. The entity's Third-party contractors/suppliers does not provide timely responses or service levels to meet Business Continuity requirements. |
The entity has capability to restore operations from significant system failures. Processes are semi-automated or consistent to enable timely recovery. The entity may deploy snapshots, Operating System deployment solutions or enterprise mobility to aid in recovery activities. The entity's Third-party contractors/suppliers provides timely responses or service levels to meet Business Continuity requirements. |
The entity has robust capabilities to restore operations from significant system failures and regularly tests system recovery capabilities. Processes are automated/semi-automated or consistent to enable timely recovery. The entity may deploy snapshots, Operating System deployment solutions or enterprise mobility to aid in recovery activities. The entity's Third-party contractors/suppliers provides timely responses or service levels to meet Business Continuity requirements. |
Link |
Preventing Malicious Insiders¶
| Control | Strategy | Not Started | In-Progress | Implemented With Issues | Implemented and Monitoring | ACSC Guidance |
|---|---|---|---|---|---|---|
| 37 | Personnel management | The entity does not perform pre-employment checks or have processes to manage user access. | The entity performs pre-employment checks and have ad-hoc processes to manage user access. | The entity performs pre-employment checks and has ongoing vetting for privileged access. The entity has robust process to manage user access including disabling user accounts in a timely manner after. |
The entity performs pre-employment checks and has ongoing vetting for privileged access. The entity has robust process to manage user access including disabling user accounts in a timely manner after. The entity has programs in place to remind users of security obligations and promotes education that minimises malicious intent. |
Link |