Show download pdf controls
  • Access control

    Contractors must apply security control measures around access of our information.

    Identification and authentication

    Contractors must implement an authentication mechanism to identify users who access ATO information. Contractors must:

    • develop and maintain user identification, authentication and authorisation policies and procedures; for example, password policy
    • record sufficient audit-logging information to determine user/system access to ATO information. This information must be regularly reviewed to identify any security breaches
    • develop as part of the implementation of services an audit-logging plan that covers the events that are recorded for any system that stores, processes or communicates our information
    • preserve the integrity of logs used to record information security incidents. The contractor must develop processes and procedures to ensure the integrity of logs that record access to all systems that store, process or communicate ATO information
    • regularly assess tests of the log collection processes and integrity of logs.

    The contractor must restrict and minimise the allocation of privileged and system accounts according to the principle of least privilege. The contractor must control access by using a delegated rights model to form an access matrix. The matrix is used as definition where privileges are granted according to the specific requirements of the role staff perform. The matrix and the number of staff in each role are to be reported to the ATO when requested.

    Systems access

    Where the contractor processes or stores ATO information on any electronic system, an information technology (IT) security plan must be in place before starting services to ensure access to ATO information is available only to authorised persons. IT security plans must be endorsed by ATO IT Security.

    Remote access

    The ATO recommends prohibiting remote access for administration to contractor systems which store, process or communicate ATO information. Where there is a business requirement, the contractor must implement remote access as per the ISM and in a secure manner that will not compromise ATO information stored on the contractor’s IT systems. The contractor must provide documentation to assure us that remote access to our information is securely implemented.

    The contractor must use multi-factor authentication for remote access to systems that process, store or communicate ATO information.


    Encryption of data in transit must be used to provide protection for classified information being communicated over unclassified or public networks.

    The contractor must use cryptographic algorithms approved by the Defence Signals Directorate (DSD), and DSD-approved cryptographic protocols, to transfer ATO information across untrusted networks.

    Where encryption is being used, contractors must develop a key management plan to document all cryptographic information transfer methods for ATO information.

    Network security

    For each network that is used to communicate ATO information, the contractor must have:

    • a high-level diagram showing all connections into the network
    • a logical network diagram showing all network devices.

    The contractor must restrict and control the connection of peripheral devices to IT systems that store, process or communicate ATO information.

    Gateway security

    Where connections from one security domain to another occur, the contractor must deploy controls commonly understood as a gateway - for example, between a private contractor network processing, storing or transmitting sensitive ATO information, and the internet.

    The Australian Government Information Security Manual is the authoritative reference for ATO gateway requirements. The contractor must ensure gateway IT security controls protect connections from the contractor's network storing or processing ATO information to other untrusted networks such as the internet.

    Gateway security controls can include but are not limited to:

    • firewall devices
    • routers with security access lists enabled
    • gateway security appliances
    • maintained and monitored security logs
    • annual security risk assessments on gateways
    • security training for system administrators, including limiting administration functions
    • irregular testing on gateways.

    Perimeter defence measures must be implemented. They must be effective in detecting and preventing intrusions from all connected networks while controlling the approved information flows between internal and external systems.

    See also:

    Further information

    Enquiries about these guidelines, or any security matter involving the ATO, should be directed through the relevant contract manager to ATO Physical Security Management (or for electronic systems, ATO IT Security branch).

      Last modified: 03 Apr 2017QC 17156