GENERAL IT SECURITY
What are general IT security services?
General IT security services include scanning for viruses, secure backup and restoration of information, secure information archiving and secure information destruction.
What are the Australian Standards for general IT security services?
The Australian Signals Directorate (ASD) provides extensive guidance to Commonwealth entities surrounding standards to safeguard data ranging in different levels of sensitivity, from “unclassified but sensitive or official information not intended for public release” (UD), through “protected” (P), to “Top Secret” (TS). Associated security controls are outlined in the ASD’s Information Security Manual (ISM).
Whilst it is only Australian Government agencies that are required to adopt the ASD controls outlined in the ISM, the controls also provide a useful framework for non-government organisations to consider when protecting data that ranges across various levels of sensitivity. Data of this type includes Personal Health Information that contains identifying aspects which is considered to be both “sensitive” and “protected”.
The following ASD controls are issued for agencies in protecting data that are considered “unclassified but sensitive or official information not intended for public release” (UD) or “protected” (P).
Content Filtering – Scanning for viruses
ASD Control: 1288; Revision: 0; Agencies should perform antivirus scans on all content using up–to–date engines and signatures, using multiple different scanning engines.
ASD Control: 1033; Revision: 4; Updated: Apr-15; Agencies must ensure that antivirus or internet security software has:
- Signature-based detection enabled and set to a high level
- Heuristic-based detection enabled and set to a high level detection signatures checked for currency and updated on at least a daily basis
- Automatic and regular scanning configured for all fixed disks and removable media.
ASD Control: 1390; Revision: 1; Updated: Apr-15; Antivirus or Internet security software should have reputation ratings enabled.
ASD Control: 0657; Revision: 3; Data imported to a system must be scanned for malicious and active content.
Secure backup and restoration of information
ASD Control: 0914; Revision: 2; Agencies should develop a disaster recovery plan.
ASD Control: 0119; Revision: 4; Agencies must:
- back up all information identified as critical to their business
- store backups of critical information, with associated documented recovery procedures, at a remote location secured in accordance with the requirements for the sensitivity or classification of the information
- test backup and restoration processes regularly to confirm their effectiveness.
ASD Control: 0455; Revision: 1; Where practical, cryptographic products must provide a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure.
Secure information archiving
No ASD controls
Secure information destruction
ASD Control: 0313; Revision: 1; Agencies must have a documented process for the disposal of ICT equipment.
ASD Control: 0311; Revision: 4; When disposing of ICT equipment containing sensitive or classified media, agencies must sanitise the equipment by either:
- sanitising the media within the equipment
- removing the media from the equipment, then sanitising or destroying the media individually and disposing of it separately
- destroying the equipment in its entirety.
ASD Control: 1217; Revision: 0; When disposing of ICT equipment, agencies must remove labels and markings indicating the classification, codewords, caveats, owner, system or network name, or any other marking that can associate the equipment with its original use.
ASD Control: 0364; Revision: 1; To destroy media, agencies must either:
- break up the media
- heat the media until it has either burnt to ash or melted
- degauss the media.
ASD Control: 0366; Revision: 1; Agencies must use one of the methods shown in the table below:
ASD Control: 1160; Revision: 0; Agencies must employ degaussers certified by the National Security Agency/Central Security Service or the Government Communications Headquarters/Communications–Electronics Security Group for the purpose of degaussing media. When using a degausser to destroy media, checking its field strength regularly will confirm the degausser functioning correctly.
ASD Control: 1360; Revision: 0; Agencies should check the field strength of the degausser at regular intervals when destroying media.
ASD Control: 1361; Revision: 0; Agencies should use approved equipment when destroying media.
ASD Control: 0368; Revision: 5; Agencies must, at minimum, store and handle the resulting media waste for all methods, except for furnace/incinerator and degausser, as indicated below.
ASD Control: 0361; Revision: 2; Agencies must use a degausser of sufficient field strength for the coercivity of the media.
ASD Control: 0838; Revision: 1; Agencies must use a degausser capable of the magnetic orientation (longitudinal or perpendicular) of the media.
ASD Control: 0370; Revision: 3; Agencies must perform the destruction of media under the supervision of at least one person cleared to the sensitivity or classification of the media being destroyed.
ASD Control: 0371; Revision: 2; Personnel supervising the destruction of media must:
- supervise the handling of the media to the point of destruction
- ensure that the destruction is completed successfully.
ASD Control: 0374; Revision: 0; Agencies must document procedures for the disposal of media.
ASD Control: 1069; Revision: 1; Agencies should sanitise media, if possible, prior to transporting it to an off–site location for destruction.
 The Commonwealth Privacy Act (1988) http://www.oaic.gov.au/privacy/privacy-act/the-privacy-act) defines what is considered personal and sensitive information in Australia. Personal Information means information about an identified individual, or an individual who is reasonably identifiable, and of relevance to med.data, Sensitive Information includes: Information about an individual’s Racial or ethnic origin or Sexual orientation or practices; Health information; Genetic information and Biometric information.
 The US HIPPA Privacy Rule (http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html ) defines protected health information” as individually identifiable health information, including identifiable demographic and other information relating to the past, present, or future physical or mental health or condition of an individual, or the provision or payment of health care to an individual that is created or received by a health care provider, health plan, employer, or health care clearinghouse. Genetic information is considered to be health information.