Show download pdf controls
  • Information technology security

    Contractors must classify all information and communication technology (ICT) equipment that stores, processes or communicates ATO information, based on the highest classification of information they manage. You must clearly label all ICT equipment capable of storing ATO information.

    Contractors must prevent attackers from exploiting known vulnerabilities in products by implementing robust patch-management processes. You must ensure all critical security patches are applied as soon as possible and ensure security patches are applied through a vendor-recommended patch or upgrade process.

    Contractors must harden IT systems during installation. Examples of hardening processes include:

    • developing standard operating environments (SOEs)
    • developing security configuration baselines
    • removing unnecessary software or system services
    • changing default system authentication settings (for example, passwords)
    • applying security software and patches
    • testing the system security controls for vulnerabilities.

    Implement secure software testing and development procedures where required.

    Contractors must have a documented process for the disposal of ICT equipment that holds ATO information. They must maintain a register for disposal of ICT equipment.

      Last modified: 03 Apr 2017QC 17156