ATO information security guidelines for contractors

Certification

Contractor premises used for the storage, processing or production of ATO information must be endorsed by ATO Security Policy and Services as meeting appropriate standards of protective security. Periodic reviews may be conducted by either Security Policy and Services or an ATO-approved representative to maintain certification standards.

Significant changes to premises, fit out, business activities and tenancies may influence continuing certification and should be advised to ATO Security Policy and Services as soon as possible.

Contractor systems used to access, process and store ATO information must be endorsed by ATO Trusted Access. Implementing the controls mentioned in this guide and also providing assurance of compliance to the ATO will help ATO Trusted Access endorse the systems.

Sections within Confidentiality, integrity, and availability of information

• Clear desk procedures
• Storage of ATO information
• Tamper-evident barriers
• Entry control
• Certification
• Visitors
• Keys and combinations
• Movement of classified information
• Electronic transfer
• Copying
• Opening requirements
• Removal of ATO information from contractor premises
• Voice communications
• Cabling security