Vulnerability management
We recommend that contractors conduct vulnerability assessments on the systems that hold ATO information, particularly in the following situations:
- as a result of a specific cyber security incident
- after a change to a system or its environment that significantly impacts on the approved and implemented system architecture and information security policy
- as part of a regular scheduled assessment.
Contractors should also subscribe to a security alert service that provides up-to-date notifications on vulnerabilities that exist with the products they use.
Change and release management
Contractors must maintain change and release management processes to ensure that changes affecting information security are reviewed and have authorisation.
Types of system changes include:
- an upgrade to, or introduction of, ICT equipment
- an upgrade to, or introduction of, software
- major changes to access controls.
Business continuity and disaster recovery
Contractors must ensure that business continuity plans are established to recover from disasters and prevent a loss or degradation of an ATO service. Contractors should conduct annual tests of their business continuity plan, covering systems that store, process or communicate ATO information, and provide evidence to us of test results.
Cyber security incidents
Contractors must have a process to identify, report and contain any cyber security incident that could affect ATO information. Contractors must deploy and manage tools in such a way that they are capable of detecting and responding to information security incidents. Regular system integrity checks must be performed to detect deviation from the expected configuration.
Contractors may consider some of the following tools for detecting potential cyber security incidents:
- anomaly detection system
- intruder prevention system
- log analysis
- network and host-intrusion detection systems
- system integrity verification.
Contractors must report cyber security incidents to the ATO for any system which stores, processes or communicates ATO information., The report must include the cause of the incident and what remediation has occurred. Reporting must occur within 4 hours, a preliminary report provided to the ATO within 3 business days and a final report within 5 business days of the incident occurring.
It is recommended the cyber security incidents are recorded in a register. At a minimum, the register should include:
- the date the incident was discovered
- the date the incident occurred
- a description of the incident, including the personnel and locations involved
- the action taken
- the date reported
- the file reference.
Contractors must:
- configure IT systems and environments in response to the latest threats and maintain associated information security documentation
- detect, contain and remove malware by maintaining malicious code protection software.