ATO information security guidelines for contractors
ATO information security guidelines for contractors
The Australian Government expects the Australian Taxation Office (ATO) to create and maintain an appropriate security environment for the protection of its functions and official resources. The Australian Government Protective Security Policy Framework (PSPF) sets out the policies, practices and procedures that all Australian Government departments and agencies must comply with.
Information security requirements apply to all ATO employees, and similar requirements apply to ATO contractors in the management of our information. As emphasised in these guidelines, the security of our information is critical.
These information security guidelines are derived from the minimum mandatory requirements of the PSPF Information Security Core Policy. They explain the practices and procedures contractors must follow to provide adequate security for the ATO information they access, process or store.
Departure from these guidelines must be authorised in writing by ATO Security Policy and Services (or ATO Trusted Access Branch for electronic systems) - see further information for details.
The ATO is committed to preserving the security, privacy, confidentiality, integrity and availability of all information provided to us, or generated from within. This commitment is vital because:
- our reputation as a responsible custodian of sensitive client information is integral to community confidence in our operations
- the proper administration of the tax system depends on our ability to keep information secure
- legislation administered by the Commissioner of Taxation imposes certain obligations in relation to information security
- legislation, such as the Crimes Act and Privacy Act, require us to safeguard information
- Australian Government policies make certain security procedures mandatory for all government agencies.
Procedures within these guidelines apply to all contractors (which includes officers, employees, agents and subcontractors) or any other person or entity acting for the ATO and having custody of and/or access to ATO information. Use of the word 'contractor' within these guidelines applies equally to all such parties, including consultants and service providers.
These guidelines have been prepared for use by contractors who access, process, store or otherwise handle ATO information that is either unclassified or warrants a Dissemination Limiting Marker (DLM).
Additional protective security measures apply to security classified material - ATO Security Policy and Services and/or Trusted Access must be consulted if access to information other than unclassified or that bearing a DLM is required.
The contractor must appoint a body who is responsible for the security of ATO information.
Contractors must develop and deliver a plan that describes the security architecture of systems that will store, access or transmit ATO information. This plan must be approved by the ATO.
Defining ATO information
In the context of these guidelines, 'ATO information' includes data from any source and in any form, which is collected, received, stored or developed by the ATO, or its employees and contractors. ATO information may exist in a range of forms, including:
- documents, papers and other printed or written material
- electronic data
- voice communications
- video and audio recordings
- any physical item from which information belonging to the ATO could be derived
- intellectual knowledge.
Assessing ATO information
The ATO assesses its information according to the degree of harm that may result if the information was accessed without authority, lost, damaged, destroyed, altered or otherwise compromised. Based on this assessed degree of harm, or other legislative requirements which restrict the distribution of the information, a protective marking is applied to information. Protective markings include DLMs and security classifications. Authority to downgrade or upgrade the security classification, or remove the protective marking of ATO information, rests exclusively with the ATO.
Access to information
To reduce the likelihood of information being lost, destroyed, damaged, compromised or misused, access to ATO information by a contractor or other party is authorised only if all the following conditions are met:
- there is a genuine 'need to know' the information
- access will comply with legislative requirements
- there is no conflict of interest regarding the information
- the person has the required level of security clearance.
ATO information must not be placed in the custody of any third party or transferred overseas unless the contractor has received written approval from the ATO Contract manager prior to the placement or transfer.
The 'need-to-know' principle is the principle that the availability of information should be limited to those who need to use or access the information to do their work. Contractors are not entitled to access information merely for the sake of convenience, or by virtue of status, position, office, or level of security clearance.
Where a contractor processes or stores ATO information on any electronic system, an Information Technology (IT) Security Plan must be in place to ensure access to ATO information is available only to authorised persons. IT Security Plans must be endorsed by ATO Trusted Access Branch.
All contractors with access to ATO information in any format must satisfy the ATO pre-engagement integrity checking requirements. Integrity checking requirements include:
- identity verification
- character assessment, including a police records check
- completion of an ATO Declaration of Secrecy.
Pre-engagement integrity checks must be undertaken by the ATO or an ATO- approved representative. Contractors may be responsible for costs associated with these requirements. ATO contract managers are responsible for ensuring integrity-checking requirements are completed before access commences.
Contractors and their authorised personnel who access systems that store, process or communicate ATO information will be required to obtain and maintain an appropriate government security clearance.
Contractors must ensure all personnel who have access to ATO information (including systems that store ATO information) undertake the mandatory ATO security awareness training.
Contractors and their authorised personnel must be made aware of the following:
- the ATO security classification and protective marking system
- requirements for ATO pre-engagement integrity check
- requirements for obtaining security clearance
- information management requirements, including storage, transmission and destruction of information
- proper use of ATO IT systems, facilities and assets
- identifying and managing appropriate levels of access to systems, facilities, assets and electronic information
- close-of-business security procedures
- the 'need-to-know' principle
- protocols to report security-related incidents
- responsibility for notifying changes in circumstances relating to the provision of services (for example, subcontracting out of services, relocation/renovation of premises, changes in key personnel, conflicts of interest)
- privacy and secrecy obligations
- the legitimate use of system accounts, software and information
- the security of accounts, including shared passwords
- protecting ICT workstations from unauthorised access
- observing rules and regulations governing the secure operation and authorised use of systems.
Contractors must ensure ATO information is not accessible to unauthorised persons at any time. Where ATO information is accessed by contractors, clear desk procedures must be in place to prevent unauthorised access. The contractor's clear desk procedures must ensure ATO information is safeguarded while unattended, even for short periods during business hours. Similarly, electronic systems and networks must be protected from unauthorised access.
Close-of-business security procedures should include:
- logging off all systems and networks
- appropriately securing all ATO information
- ensuring all security containers, safes and rooms are locked
- ensuring all keys to security containers or rooms are secured against unauthorised access.
Storage of ATO information
The Australian Government Protective Security Policy Framework specifies minimum storage standards for the protection of official information.
ATO information must be stored in suitable commercial-grade storage containers or in a secure store room within premises approved by the ATO.
The essential physical security features required of the premises are:
- tamper-evident barriers, resistant to covert entry
- an effective means of limiting entry to authorised people only, during both operational and non-operational hours.
Tamper-evident barriers provide enough resistance to covert entry to ensure that a person attempting to gain unauthorised entry and exit, without being apprehended, would have to damage or modify the barriers so it was obvious that a security incident had occurred.
This means ensuring perimeter walls and doors provide an effective barrier, and doors are fitted with high-quality locking mechanisms that provide a good level of resistance to covert entry.
For windows to meet PSPF standards, a quality key lock is usually required to be fitted. However, the installation of quality window security screens may satisfy this requirement.
The Government has endorsed certain locks in their Security Equipment Catalogue for use in intruder-resistant areas. ATO Security Policy and Services can advise which locks meet these standards.
Contractors must employ effective entry control measures to ensure only authorised persons can access areas that hold ATO information. Entry control may consist of a range of measures, such as:
- physical barriers
- electronic or mechanical devices
- guard, attendant or receptionist control
- visual recognition by employees, or
- passes or identity cards.
Effective visitor control, management and recording procedures must be in place.
A high-quality monitored intrusion alarm system, with appropriate response arrangements, will generally also be required to ensure an appropriate level of security protection outside working hours.
Maintenance records for electronic security equipment may be requested by ATO security assurors, as required.
Contractor premises used for the storage, processing or production of ATO information must be endorsed by ATO Security Policy and Services as meeting appropriate standards of protective security. Periodic reviews may be conducted by either Security Policy and Services or an ATO-approved representative to maintain certification standards.
Significant changes to premises, fit out, business activities and tenancies may influence continuing certification and should be advised to ATO Security Policy and Services as soon as possible.
Contractor systems used to access, process and store ATO information must be endorsed by ATO Trusted Access. Implementing the controls mentioned in this guide and also providing assurance of compliance to the ATO will help ATO Trusted Access endorse the systems.
Contractors must ensure that visitors to their premises are supervised to prevent unauthorised access to ATO information.
Keys and combinations
Keys and combinations must be given the same degree of protection as the information to which they provide access - this applies to keys and combinations for desk drawers, storage cabinets, safes, computer server racks, and office and building doors. Responsibility for keys and combinations to security containers should be assigned to a responsible person and, when not in use, locked in an endorsed security container. Only those authorised to access ATO information should be assigned custody of keys and combinations to storage facilities in which ATO information is secured.
Movement of classified information
The movement of information exposes it to additional risk. The principles for the secure movement of information involve:
- timely and uninterrupted handling
- secure methods of packaging, transport and delivery
- supervision and recording of all handling processes
- the allocation of specific responsibilities (and training if necessary) to those involved with the movement of information.
Most non-electronic ATO information can be moved by normal post or courier. If contractors use their own vehicles to transport ATO information, the vehicles must have cargo bays of solid construction - suitable materials include metal or fibreglass.
If the information is considered highly sensitive, advice should be sought from the relevant ATO contract manager or ATO Security Policy and Services for other more secure options.
Specific measures are required to protect ATO information moved electronically. Any contractor plans or procedures for transferring ATO information electronically must be endorsed by ATO Trusted Access Branch - this includes facsimile and data transmissions, and email over the internet.
The copying of ATO information must be kept to a minimum, in keeping with operational requirements. The ATO may prohibit the reproduction of specified ATO information.
Contractors should look for any signs of tampering when opening envelopes or wrapping containing ATO information. When it is known or suspected that an envelope or package has been tampered with, the matter must be reported to the relevant ATO contract manager and ATO Security Policy and Services. In such cases, the envelope or package is to be retained for examination and not handled unnecessarily.
Removal of ATO information from contractor premises
The removal of ATO information from a contractor's premises is only permitted where there is a definite work-related need, appropriate protection can be maintained, and the removal is authorised by the relevant ATO contract manager.
Electronic media, such as laptop computers and disks, must be protected to the same degree as paper-based information. Laptops, in particular, carry additional risk because their intrinsic value makes them an attractive target for theft.
Employees removing classified material from a contractor's premises have an important role in the protection of that material. Contractors must ensure their employees take practical measures to safeguard classified material at all times and protect it against unauthorised access.
Care must be taken by contractors to ensure conversations of a sensitive nature are not overheard by unauthorised persons, either at the contractor's premises or in public places - this particularly includes telephone conversations, including on mobile phones.
Telephones cannot generally be considered a secure means of communication and should not be used to discuss highly sensitive matters.
The contractor must develop a cabling plan for all systems where ATO information is communicated and implement secure cabling and patch panels restricting access on a need-to-know basis. This must also include controls to prevent
cross-contamination of systems.
Destruction of classified information
Careless disposal of information increases the likelihood of unauthorised disclosure. Contractors must ensure waste ATO information is destroyed in accordance with government standards, which requires mutilation to the extent that it would be impossible to recognise or use the content. Approved methods include:
- wet pulping
- pulverisation, or
Destruction of ATO information may occur through:
- an ATO-approved classified waster destruction facility,
- the contractor's premises using an ATO-approved destruction method, or
- return of the classified waste to an ATO site.
Contractors proposing to destroy ATO information either at their premises or using a commercial service provider must first consult ATO Security Policy and Services.
ATO information pending destruction must be safeguarded in an appropriately secure environment. Recycling of waste ATO information is only permitted for material which has already been destroyed by approved methods.
The ATO and Australian Archives have records disposal schedules which detail retention periods and other requirements relating to particular types of documents. These requirements must be adhered to when preparing to destroy ATO information - when in doubt, the contract manager should be consulted.
Electronic media and equipment
Information can still be retrieved from IT equipment and electronic storage media which has either failed or outlived its purpose. It is essential for computing media which has carried ATO information to be disposed of appropriately. Destruction plans for electronic media and equipment must be endorsed by ATO Trusted Access Branch. The ATO expects contractors to develop asset registers which include a unique register for the media, if the media is in storage or in use, where it is in use, and/or if the media has been disposed of (sanitised/destroyed).
Contractors should have an established security documentation framework including a hierarchical listing of all information security documentation and their relationships, or adopt the documentation structure and naming conventions of the Australian Government Information Security Manual (ISM).
Contractors must develop documentation to effectively manage the IT security framework for systems that store, process or communicate ATO information.
Key IT security documentation includes:
- Information security policy
- Security risk management plan (SRMP)
- System security plan (SSP)
- Incident response plan (IRP)
- Standard operating procedures (SOPs)
- Security architecture design
- Audit logging plans.
Security documentation should be maintained appropriately and should be:
- formally approved by an authorised person
- reviewed at least annually and after significant changes to the system.
The contractor must conduct audits of their systems that store, process or communicate ATO information with a report of results provided to the ATO. A summary of the results, and the treatment of any identified risks, are to be included in the security risk management plan.
The audits are to occur on a regular basis to compare the approved system documentation with the actual implementation; determine the effectiveness of the implemented controls; and to identify ineffective controls for remediation. The ATO reserves the right to require evidence of compliance to this cyber security requirement or inspect contractor process.
The contractor shall permit nominated ATO personnel to perform an IT security compliance review of contractor IT systems and operations. The contractor must provide suitable contacts and resources so that nominated ATO personnel can verify contractor IT systems that store, process or communicate ATO information are operating securely.
Evidence collected may include documentation such as architecture diagrams, procedures and system output, and behaviour such as systems settings and log output.
It is recommended contractors conduct vulnerability assessments on the systems that hold ATO information. It is recommended vulnerability assessments are undertaken in the following situations:
- as a result of a specific cyber security incident
- after a change to a system or its environment that significantly impacts on the agreed and implemented system architecture and information security policy
- as part of a regular scheduled assessment.
Contractors should also subscribe to a security alert service that provides up-to-date notifications on vulnerabilities that exist with the products they use.
Contractors should maintain change and release management processes to ensure that changes affecting information security are reviewed and have authorisation.
Types of system changes include:
- an upgrade to, or introduction of, ICT equipment
- an upgrade to, or introduction of, software
- major changes to access controls.
Contractors must ensure that business continuity plans are established to recover from disasters and prevent a loss or degradation of an ATO service. Contractors should conduct tests of the business continuity plan that covers systems that store, process or communicate ATO information and to provide evidence to the ATO of test results.
Contractors must have a process to identify, report and contain any cyber security incident that could affect ATO information. The contractor must deploy and manage tools so they are capable of detecting and responding to information security incidents. Regular system integrity checks must be performed to detect deviation from the expected configuration.
Contractors may consider some of the tools below for detecting potential cyber security incidents:
- anomaly detection system
- intruder prevention system
- log analysis
- network and host-intrusion detection systems
- system integrity verification.
Contractors must report cyber security incidents to the ATO, including what remediation has occurred and the cause of the incident. Reporting must occur within 48 hours of the incident occurring.
It is recommended the cyber security incidents are recorded in a register. At a minimum, the register should include:
- the date the incident was discovered
- the date the incident occurred
- a description of the incident, including the personnel and locations involved
- the action taken
- date reported
- the file reference.
Contractors must classify all information and communication technology (ICT) equipment that stores, processes or communicates ATO information, based on the highest classification of information. Contractors must clearly label all ICT equipment capable of storing ATO information.
Contractors must prevent attackers from exploiting known vulnerabilities in products by implementing robust patch-management processes. Contractors must ensure all critical security patches are applied as soon as possible and ensure security patches are applied through a vendor-recommended patch or upgrade process.
Contractors must harden IT systems during installation - examples of hardening processes are to:
- develop standard operating environments (SOEs)
- develop security configuration baselines
- remove unnecessary software or system services
- change default system authentication settings (for example, passwords)
- apply security software and patches
- test the system security controls for vulnerabilities.
Where required, implement secure software testing and development procedures.
Contractors must have a documented process for the disposal of ICT equipment that holds ATO information and maintain a register for disposal of ICT equipment.
Contractors must implement an authentication mechanism to identify users who access ATO information. Contractors must develop and maintain user identification, authentication and authorisation polices and procedures - for example, password policy.
Contractors must record sufficient audit-logging information to determine user/system access to ATO information. This information must be regularly reviewed to identify any security breaches.
The contractor must develop an audit-logging plan that covers the events that are recorded for any system that stores, processes or communicates ATO information.
Contractors must preserve the integrity of logs used to record information security incidents. The contractor must develop processes and procedures to ensure the integrity of logs that record access to all systems that store, process or communicate ATO information.
Tests of the log collection processes and integrity of logs must be assessed regularly.
All contractors must restrict and minimise the allocation of privileged and system accounts according to the least privilege principle. The contractor must restrict and minimise the allocation of privileged access by using a delegated rights model to form an access matrix. The matrix is used as definition where privileges are granted according to the specific requirements of the role staff perform. The matrix and the number of staff in each role are to be reported to the ATO when requested.
Where a contractor processes or stores ATO information on any electronic system, an information technology (IT) security plan must be in place to ensure access to ATO information is available only to authorised persons. IT security plans must be endorsed by the ATO Trusted Access branch.
The ATO recommends the prohibition of remote access to contractor systems for administration. Where there is a business requirement, the contractor must implement remote access in a secure manner that will not compromise ATO information stored on IT systems. The contractor must provide documentation to assure the ATO the contractor has securely implemented remote access to ATO information.
Encryption of data in transit must be used to provide protection for classified information being communicated over unclassified or public networks.
Contractors must use cryptographic algorithms approved by the Defence Signals Directorate (DSD), and DSD-approved cryptographic protocols, to transfer ATO information across untrusted networks.
Where encryption is being used, contractors must develop a key management plan to document all cryptographic information transfer methods for ATO information.
For each network that is used to communicate ATO information, the contractor must have:
- a high-level diagram showing all connections into the network
- a logical network diagram showing all network devices.
The contractor must restrict and control the connection of peripheral devices to IT systems that store, process or communicate ATO information.
Where the contractor connects from one security domain to another, the contractor must deploy controls commonly understood as a gateway - for example, a private contractor network processing, storing or transmitting sensitive ATO information, and the internet. The DSD Australian Government Information Security Manual is the authoritative reference for ATO gateway requirements. Contractors must ensure gateway IT security controls protect connections from the contractor network storing, or processing, ATO information to other untrusted networks such as the internet.
Gateway security controls can include:
- firewall devices
- routers with security access lists enabled
- gateway security appliances
- maintaining and monitoring security logs
- performing security risk assessments on gateways annually
- security training for system administrators, including limiting administration functions
- irregular testing on gateways.
Perimeter defence measures must be implemented that are effective in detecting and preventing intrusions from all connected networks, at the same time as controlling the approved information flows between internal and external systems.
Enquiries about these guidelines, or any security matter involving the ATO, should be directed through the relevant contract manager to ATO Security Policy and Services (or for electronic systems, to ATO Trusted Access branch).
Last Modified: Monday, 30 July 2012