Australian Government
Information Security Manual
Changes Document
Security control changes
Security controls 1541 and 1542 added.
Security Control: 1541; Revision: 0; Updated: Jan-19; Applicability: O, P, S, TS; Priority: Must
Microsoft Office is configured to disable support for Flash content.
Security Control: 1542; Revision: 0; Updated: Jan-19; Applicability: O, P, S, TS; Priority: Must
Microsoft Office is configured to prevent activation of Object Linking and Embedding packages.
Security controls 0809 and 1484 revised.
Security Control: 0809; Revision: 3; Updated: Jan-19; Applicability: O, P, S, TS; Priority: Must
When a change to a system or its environment impacts the security posture of the system, security risks associated
with the operation of the system are determined by a security assessment, and formally accepted by an
authorising officer, before the system is authorised to continue operating.
Security Control: 1484; Revision: 1; Updated: Jan-19; Applicability: O, P, S, TS; Priority: Must
Web browsers are configured to block or disable support for Flash content.
Content changes
Cyber security guidelines
Title changed from ‘Cyber security guidelines’ to ‘Cyber security framework’.
Guidelines for cyber security rules
Reference to ‘Guidelines for system administration’ changed to ‘Guidelines for system management’.
Guidelines for authorising systems
Security control 0809 was revised to shift the focus from ‘reaccreditation’ to activities required when a change to
a system or its environment impacts its security posture.
Fixed typographical error in security control 0904 – ‘Statement of Applicably’ replaced with ‘Statement of
Applicability’.
Guidelines for cyber security incidents
Fixed typographical error in security control 0917 – ‘inflected systems’ replaced with ‘infected systems’.
Guidelines for outsourcing
Amendment made to the wording referencing the Guidelines for authorising systems.
Reference added under further information for the Australian Cyber Security Center’s Managed Service Provider
Partner Program (MSP3).
Guidelines for enterprise mobility
Updated the reference to the ‘Enterprise Mobility including Bring Your Own Device (BYOD)’ publication to
‘Enterprise Mobility Including Bring Your Own Device (BYOD)’.
Guidelines for ICT equipment management
Amendment made to ‘Sanitisation and disposal of ICT equipment’ to reflect solid state drives being a class of nonvolatile semiconductor memory and not non-volatile magnetic memory.
Guidelines for media management
Fixed typographical error in ‘External interface connections that allow Direct Memory Access’ – ‘physically
measures’ replaced with ‘physical measures’.
Updated the URL for the National Security Agency’s Degausser Evaluated Product List.
Guidelines for system hardening
Updated the reference to the ‘Application Whitelisting Explained’ publication to ‘Implementing Application
Whitelisting’.
Modified security control 1484 to emphasis it relates to all Flash content.
Added security control 1541 to address support for Flash content within Microsoft Office.
Added security control 1542 to address the activation of Object Linking and Embedding packages within Microsoft
Office.
Updated the reference to the ‘Hardening Microsoft Office 2016’ publication to ‘Hardening Microsoft Office 365
ProPlus, Office 2019 and Office 2016’.
Updated the reference to the ‘Multi-factor Authentication’ publication to ‘Implementing Multi-Factor
Authentication’.
Guidelines for network management
Updated the reference to the ‘Network Segmentation and Segregation’ publication to ‘Implementing Network
Segmentation and Segregation’.
Updated the URL for the National Security Agency’s Manageable Network Plan Guide (version 4.0) publication.
2
Guidelines for cryptography
Updated the URL for the National Security Agency’s CNSA Suite and Quantum Computing FAQ publication.
Guidelines for connecting networks and security domains
Revision number for security control 1192 was changed from ‘1’ to ‘2’.
Added missing semi-colon following the last updated date in security control 0597.
Supporting information
The entry for ‘accreditation’ was removed to avoid confusion with the process for physical security accreditation.
The definition of ‘authorising officer’ was updated to reflect the content with the Guidelines for authorising
systems.
The entry for ‘certification’ was removed to avoid confusion with the process for physical security certification.
Security assessment aids
The XML ‘<Decription>’ tag was changed to ‘<Description>’.
Fixed typographical error in security control 0904 – ‘Statement of Applicably’ replaced with ‘Statement of
Applicability’.
Applicability markings for security control 0100 was changed from ‘O,P,S,TS’ to ‘O,P,-,-‘.
Fixed typographical error in security control 0917 – ‘inflected systems’ replaced with ‘infected systems’.
Revision number for security control 0430 was changed from ‘8’ to ‘5’.
Applicability markings for security control 1215 was changed from ‘O,P,-,TS’ to ‘O,P,S,-‘.
Applicability markings for security control 0421 was changed from ‘O,P,S,TS’ to ‘O,P,S,-‘.
Revision number for security control 1192 was changed from ‘1’ to ‘2’.
3
