Embed Size (px)
Citation preview
August 2019 ISM ChangesThe Australian Government Information Security Manual
Executive summary
Minor changes to ‘intended audience’ and ‘further information’ content.
Applying a risk-based approach to cyber security
Minor grammar corrections throughout the section.
Changes to ‘authorise the system’ content to note that in the absence of a Chief Information Security Officer, a Chief Security Officer, a Chief Information Officer or other senior executive in the organisation, should accept security risks associated with a system before it is authorised to operate.
Changes to ‘monitor the system’ content to note that cyber threats and security risks in a system’s operating environment should also be monitored.
Guidelines for Roles and Responsibilities
Chief Information Security Officer
Minor changes to ‘responsibilities’ content to note that Chief Information Security Officers work with the Chief Security Officer, Chief Information Officer and other senior executives within their organisation.
System owners
Removal of the further information reference to the change management section of the Guidelines for System Management as it was no longer directly relevant to the content in this section.
Guidelines for Cyber Security Incidents
Detecting cyber security incidents
Change to ‘intrusion detection and prevention policy’ content.
Security control 0576 was modified to refer to an intrusion detection and prevention policy rather than a strategy. The content for such a policy was reviewed and lifted up into associated rational for this security control.
Security Control: 0576; Revision: 7; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
Australian Government Information Security Manual
An intrusion detection and prevention policy is developed and implemented.
Managing cyber security incidents
Minor change to ‘cyber security incident register’ content.
Security control 0125 was modified to refer explicitly to a cyber security incident register.
Security Control: 0125; Revision: 4; Updated: Aug-19; Applicability: O, P, S, TS; Priority: ShouldA cyber security incident register is maintained with the following information:
the date the cyber security incident occurred
the date the cyber security incident was discovered
a description of the cyber security incident
any actions taken in response to the cyber security incident
to whom the cyber security incident was reported.
Minor change to ‘further information’ content.
Guidelines for Security Documentation
Development and maintenance of security documentation
Minor changes to ‘security documentation’ content.
Minor changes to ‘approval of security documentation’ content.
Addition of further information references to all strategies, policies, processes, procedures and registers mentioned throughout the document.
System-specific security documentation
Changes to ‘System Security Plan’ content to note that the document formerly known as the ‘Statement of Applicability’ now forms an annex to a system’s System Security Plan.
Security control 0041 was modified to specifically note the inclusion of an annex to the System Security Plan.
Security Control: 0041; Revision: 3; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustSystems have a SSP that includes a description of the system and an annex that covers both security controls from this document (based on the system’s classification, functionality and technologies) and any additional security controls that have been identified for the system.
‘Standard Operating Procedures’ content was moved, along with security control 0042, to the system administration section of the Guidelines for System Management.
Removal of ‘further information’ content due to being captured in a more comprehensive list within the development and maintenance of security documentation section.
Guidelines for Physical Security
ICT equipment and media
Minor changes to ‘ICT equipment and media register’ content.
Security control 0336 was modified to refer explicitly to an ICT equipment and media register.
2
Security Control: 0336; Revision: 4; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustAn ICT equipment and media register is maintained and regularly audited.
Wireless devices and Radio Frequency transmitters
Security control 1543 was modified to refer explicitly to an authorised RF devices for SECRET and TOP SECRET areas register.
Security Control: 1543; Revision: 1; Updated: Aug-19; Applicability: S, TS; Priority: ShouldAn authorised RF devices for SECRET and TOP SECRET areas register is maintained and regularly audited.
Guidelines for Personnel Security
Cyber security awareness raising and training
Minor change to ‘further information’ content.
Access to systems and their resources
Changes to ‘system access requirements’ content to include access to system resources.
Security control 0432 was modified to include access to system resources.
Security Control: 0432; Revision: 5; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustEach system’s System Security Plan specifies any authorisations, security clearances and briefings necessary for access to the system and its resources.
Changes to ‘security clearances, briefings and user identification’ content.
All ‘user identification’ and ‘shared user accounts’ content from the Guidelines for System Hardening, including security controls 0414, 0975, 0420, 1538 and 0415, were merged with the ‘security clearances and briefings’ content.
Security control 0434 was modified to include access to system resources.
Security Control: 0434; Revision: 6; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustPersonnel undergo appropriate employment screening, and where necessary hold an appropriate security clearance, before being granted access to a system and its resources.
Security control 0435 was modified to include access to system resources.
Security Control: 0435; Revision: 3; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustPersonnel receive any necessary briefings before being granted access to a system and its resources.
Security control 0414 was modified to focus on the identification of users. Guidance relating to authenticating users was moved into security control 1546 in the Guidelines for System Hardening.
Security Control: 0414; Revision: 4; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustPersonnel granted access to a system and its resources are uniquely identifiable.
Security control 0415 was modified to note that when shared user accounts are used, personnel using such accounts still need to be uniquely identifiable by some other means.
Security Control: 0415; Revision: 3; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustThe use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable.
Security control 0975 was modified to use consistent language with security controls 0420 and 1538.
Security Control: 0975; Revision: 7; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Should
3
Personnel who are foreign nationals are identified as such, including by their specific nationality.
Security control 0420 was modified to include systems that process or communication Australian Eyes Only (AUSTEO) and Australian Government Access Only (AGAO) information.
Security Control: 0420; Revision: 8; Updated: Aug-19; Applicability: S, TS; Priority: MustWhere systems process, store or communicate AUSTEO or AGAO information, personnel who are foreign nationals are identified as such, including by their specific nationality.
Security control 1538 was modified to reference the correct protective marking for Releasable To (REL) information.
Security Control: 1538; Revision: 1; Updated: Aug-19; Applicability: P, S, TS; Priority: MustWhere systems process, store or communicate REL information, personnel who are foreign nationals are identified as such, including by their specific nationality.
Minor changes to ‘standard access to systems by foreign nationals’ content.
Security control 0409 was modified to ensure consistency with similar controls that focus on effective security controls being in place.
Security Control: 0409; Revision: 5; Updated: Aug-19; Applicability: S, TS; Priority: MustForeign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO information unless effective security controls are in place to ensure such information is not accessible to them.
Security control 0411 was modified to ensure consistency with similar controls that focus on effective security controls being in place.
Security Control: 0411; Revision: 5; Updated: Aug-19; Applicability: S, TS; Priority: MustForeign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO information unless effective security controls are in place to ensure such information is not accessible to them.
Security control 0816 was modified to reference the correct protective marking for REL information.
Security Control: 0816; Revision: 5; Updated: Aug-19; Applicability: P, S, TS; Priority: MustForeign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate REL information unless effective security controls are in place to ensure REL information that is not marked as releasable to their nation is not accessible to them.
Changes to ‘privileged access to systems’ content.
Changes to ‘privileged access to systems by foreign nationals’ content.
Security controls 0446 and 0447 were modified to use consistent language with security controls 0409 and 0411.
Security Control: 0446; Revision: 3; Updated: Aug-19; Applicability: S, TS; Priority: MustForeign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO information.
Security Control: 0447; Revision: 3; Updated: Aug-19; Applicability: S, TS; Priority: MustForeign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO information.
Security control 1545 was added to cover privileged access to systems by foreign nationals where such systems process, store or communicate REL information.
Security Control: 1545; Revision: 0; Updated: Aug-19; Applicability: P, S, TS; Priority: Must
4
Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate REL information.
Minor changes to ‘suspension of access to systems’ content.
Security control 0430 was slightly reworded.
Security Control: 0430; Revision: 6; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustAccess to systems, applications and information is removed or suspended on the same day personnel no longer have a legitimate requirement for access.
Guidelines for Communications Infrastructure
Cable management
Security control 0926 was modified to reflect the absence of a specified colour for colour-based protective markings for official and sensitive information within the Protective Security Policy Framework (PSPF).
Security Control: 0926; Revision: 6; Updated: Aug-19; Applicability: O; Priority: ShouldThe cable colours in the following table are used.
System Cable Colour
OFFICIAL Black or grey
Security control 0186 was modified to reflect the mandatory colours specified for colour-based protective markings for classified information within the PSPF’s Sensitive and classified information policy (see Table 3 – Minimum protective markings for sensitive and security classified information). Further, the priority for PROTECTED and SECRET cabling was raised to ensure compliance with PSPF requirements even when outside of TOP SECRET areas.
Security Control: 0186; Revision: 5; Updated: Aug-19; Applicability: P, S, TS; Priority: MustThe cable colours in the following table are used.
System Cable Colour
TOP SECRET Red
SECRET Salmon (Pink)
PROTECTED Blue
Cable labelling and registration
Changes to ‘cable labelling process and procedures’ content.
Security control 0206 was modified to focus on the process and procedures for cable labelling.
Security Control: 0206; Revision: 5; Updated: Aug-19; Applicability: O, P, S, TS; Priority: ShouldA cable labelling process, and supporting cable labelling procedures, is developed and implemented.
5
Guidelines for Communications Systems
Telephone systems
Security control 1078 was modified to refer explicitly to a telephone usages usage policy.
Security Control: 1078; Revision: 2; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustA telephone systems usage policy is developed and implemented.
Fax machines and multifunction devices
Minor change to ‘using cryptographic equipment with fax machines and multifunction devices’ content.
Security control 0588 was modified to refer explicitly to a fax machine and MFD user policy.
Security Control: 0588; Revision: 3; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustA fax machine and MFD usage policy is developed and implemented.
Guidelines for Enterprise Mobility
Mobile device management
Minor changes to ‘mobile device management policy’ content.
Security control 1533 was modified to refer explicitly to a mobile device management policy.
Security Control: 1533; Revision: 2; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustA mobile device management policy is developed and implemented.
Security control 1399 was reviewed and merged into security control 1400.
Security Control: 1400; Revision: 2; Updated: Aug-19; Applicability: O, P; Priority: MustPersonnel accessing official or classified information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC hardening guidance, and have enforced separation of official and classified information from any personal information.
Security control 1481 was reviewed and merged into security control 1482.
Security Control: 1482; Revision: 1; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustPersonnel accessing official or classified information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC hardening guidance.
Mobile device usage
Minor change to ‘mobile device usage policy’ content.
Security control 1082 was modified to refer explicitly to a mobile device usage policy.
Security Control: 1082; Revision: 2; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustA mobile device usage policy is developed and implemented.
Minor change to ‘mobile device emergency sanitisation process and procedures’ content.
Security control 0701 was modified to include a mobile device emergency sanitisation process to guide the existing recommendation for emergency sanitisation procedures.
Security Control: 0701; Revision: 4; Updated: Aug-19; Applicability: O, P, S, TS; Priority: Must
6
A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented.
Security control 0702 was modified to refer to the guiding mobile device emergency sanitisation process rather than the specific mobile device emergency sanitisation procedures.
Security Control: 0702; Revision: 4; Updated: Aug-19; Applicability: S, TS; Priority: MustIf a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process.
Guidelines for ICT Equipment Management
ICT equipment usage
New content added on ‘ICT equipment management policy’ to cover the management of all forms of ICT equipment.
Security control 1551 was added to cover the development and implementation of an ICT equipment management policy.
Security Control: 1551; Revision: 0; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustAn ICT equipment management policy is developed and implemented.
ICT equipment sanitisation and disposal
Minor change to ‘ICT equipment sanitisation and disposal process and procedures’ content.
Security control 0313 was modified to include a process for ICT equipment sanitisation.
Security Control: 0313; Revision: 4; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustAn ICT equipment sanitisation process, and supporting ICT equipment sanitisation procedures, is developed and implemented.
Security control 1550 was added to include a process for ICT equipment disposal.
Security Control: 1550; Revision: 0; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustAn ICT equipment disposal process, and supporting ICT equipment disposal procedures, is developed and implemented.
Guidelines for Media Management
Media usage
New content added on ‘media management policy’ to cover the management of all forms of media (including within ICT equipment).
Security control 1549 was added to cover the development and implementation of a media management policy.
Security Control: 1549; Revision: 0; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustA media management policy is developed and implemented.
Changes to ‘media usage policy’ content to focus on the use of removable media by users.
Security control 1359 was modified to focus on the use of removable media by users.
Security Control: 1359; Revision: 3; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustA removable media usage policy is developed and implemented.
7
Minor changes to ‘connecting media to systems’ content.
Media sanitisation
Minor changes to ‘media in ICT equipment’ content.
Minor change to ‘hybrid hard drives’ content.
Minor change to ‘solid state drives’ content.
Minor changes to ‘media sanitisation process and procedures’ content.
Security control 0348 was modified to include a process for media sanitisation.
Security Control: 0348; Revision: 3; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustA media sanitisation process, and supporting media sanitisation procedures, is developed and implemented.
Media destruction
Minor changes to ‘media destruction process and procedures’ content.
Security control 0363 was modified to include a process for media destruction.
Security Control: 0363; Revision: 2; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustA media destruction process, and supporting media destruction procedures, is developed and implemented.
Media disposal
Minor changes to ‘media disposal process and procedures’ content.
Security control 0374 was modified to include a process for media disposal.
Security Control: 0374; Revision: 2; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustA media disposal process, and supporting media disposal procedures, is developed and implemented.
Guidelines for System Hardening
Operating system hardening
The ‘further information’ content was updated to reference the retitled authentication hardening section.
Authentication hardening
Change of section title from ‘system access’ to ‘authentication hardening’ to avoid confusion with the access to systems and their resources section of the Guidelines for Personnel Security.
All ‘user identification’ and ‘shared user accounts’ content, including security controls 0414, 0975, 0420, 1538 and 0415, were moved to the access to systems and their resources section of the Guidelines for Personnel Security.
Addition of new ‘authenticating to systems’ content.
Security control 1546 was added following the split of content in security control 0414.
Security Control: 1546; Revision: 0; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustUsers are authenticated before they are granted access to a system and its resources.
8
Guidelines for System Management
System administration
Given the focus on system administration activities, the ‘system administration process and procedures’ content, and security control 0042, was moved from the Guidelines for Security Documentation to the Guidelines for System Management.
Security control 0042 was modified to remove content that is covered by other security controls. For example, the management of assets by the new ICT equipment management policy (see security control 1551).
Security Control: 0042; Revision: 4; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustA system administration process, with supporting system administration procedures, is developed and implemented.
The ‘further information’ content was updated to reference the retitled authentication hardening section of the Guidelines for System Management.
System patching
Changes made to ‘patching management process and procedures’ content.
Security control 1143 was modified to clarify the recommendation for a patch management process and supporting patch management procedures.
Security Control: 1143; Revision: 7; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustA patch management process, and supporting patch management procedures, is developed and implemented.
Security control 1493 was modified to replace ‘an inventory’ with ‘a register’ to ensure consistency with similar security controls.
Security Control: 1493; Revision: 1; Updated: Aug-19; Applicability: O, P, S, TS; Priority: ShouldTo maintain visibility of applications, drivers, operating systems and firmware that potentially require patching or updating, a register (including details of versions and patching histories) is maintained for workstations, servers, mobile devices, network devices and all other ICT equipment.
Change management
Changes made to ‘change management process and procedures’ content.
Security controls 1211 was modified to include content from security control 0115.
Security Control: 1211; Revision: 2; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustA change management process, and supporting change management procedures, is developed and implemented covering:
identification and documentation of requests for change
approval required for changes to be made
implementation and testing of approved changes
the maintenance of system and security documentation.
Security control 0115 was merged into security control 1211.
Data backup and restoration
Change of section title from ‘data backups’ to ‘data backup and restoration’.
9
New ‘digital preservation policy’ content was added.
Changes made to ‘data backup and restoration processes and procedures’ content.
Security control 1510 was split into three separate security controls to focus on a digital preservation policy (security control 1510), a data backup process and supporting procedures (security control 1547), and a data restoration process and supporting procedures (security control 1548).
Security Control: 1510; Revision: 1; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustA digital preservation policy is developed and implemented.
Security Control: 1547; Revision: 0; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustA data backup process, and supporting data backup procedures, is developed and implemented.
Security Control: 1548; Revision: 0; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustA data restoration process, and supporting data restoration procedures, is developed and implemented.
Minor change to ‘further information’ content.
Guidelines for System Monitoring
Event logging and auditing
Changes to ‘event logging policy’ content.
Security control 0580 was modified to refer to an event logging policy rather than a strategy. The content for such a policy was reviewed and lifted up into associated rational for this security control.
Security Control: 0580; Revision: 6; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustAn event logging policy is developed and implemented.
Minor change to ‘event log auditing process and procedures’ content.
Security control 0109 was modified to include a process for event log auditing.
Security Control: 0109; Revision: 6; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustAn event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements.
Vulnerability management
Minor change to ‘vulnerability management policy’ content.
Security control 1163 was modified to refer to a vulnerability management policy rather than vulnerability management strategies.
Security Control: 1163; Revision: 3; Updated: Aug-19; Applicability: O, P, S, TS; Priority: ShouldA vulnerability management policy is developed and implemented that includes:
conducting vulnerability assessments and penetration tests for systems throughout their life cycle to identify security vulnerabilities
analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls
using a risk-based approach to prioritise the implementation of identified mitigations.
10
Guidelines for Database Systems Management
Database management system software
The ‘further information’ content was updated to reference the retitled authentication hardening section of the Guidelines for System Management.
Databases
Minor change to ‘database register’ content.
Security control 1243 was modified to refer explicitly to a database register.
Security Control: 1244; Revision: 5; Updated: Aug-19; Applicability: O, P, S, TS; Priority: ShouldA database register is maintained and regularly audited.
Guidelines for Email Management
Email usage
Minor change to ‘email usage policy’ content.
Security control 0264 was modified to refer explicitly to an email usage policy.
Security Control: 0264; Revision: 3; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustAn email usage policy is developed and implemented.
Minor change to ‘email distribution lists’ content.
Security control 1539 was modified to reference the correct protective marking for REL information.
Security Control: 1539; Revision: 2; Updated: Aug-19; Applicability: P, S, TS; Priority: MustEmails containing REL information are only sent to named recipients and not to groups or distribution lists unless the nationality of all members of the distribution lists can be confirmed.
Guidelines for Network Management
Network design and configuration
Security control 1310 was merged into security control 1532.
Security Control: 1532; Revision: 1; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustVLANs are not used to separate network traffic between official or classified networks and public network infrastructure.
Minor changes to ‘network device register’ content.
Security control 1301 was modified to refer explicitly to a network device register. Furthermore, the priority was raised to ensure alignment with similar recommendations for ICT equipment and media registers.
Security Control: 1301; Revision: 2; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustA network device register is maintained and regularly audited.
11
Wireless networks
Security control 1322 was modified to reference products that have been evaluated and certified against the Common Criteria.
Security Control: 1322; Revision: 3; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustEvaluated supplicants, authenticators and authentication servers are used in wireless networks.
Security control 1324 was modified to reference products that have been evaluated and certified against the Common Criteria.
Security Control: 1324; Revision: 3; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustCertificates are generated using an evaluated certificate authority solution or hardware security module.
Changes made to ‘encryption for wireless network traffic’ content.
Security control 1332 was modified to capture all use cases for encrypting wireless network traffic.
Security Control: 1332; Revision: 2; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic.
Security controls 0543 and 1445 were removed due to duplicating security controls 0465 and 0467 within the Guidelines for Using Cryptography.
Guidelines for Using Cryptography
Cryptographic fundamentals
Changes made to ‘encrypting information in transit’ content to note its applicability to wireless networks.
Guidelines for Gateway Management
Gateways
Security control 0625 was modified to include a reference an organisation’s change management process and procedures.
Security Control: 0625; Revision: 5; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustAll changes to a gateway architecture are considered prior to implementation, documented and assessed in accordance with the organisation’s change management process and supporting change management procedures.
Web content and connections
Security control 0258 was modified to refer explicitly to a web usage policy.
Security Control: 0258; Revision: 3; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustA web usage policy is developed and implemented.
The reference to the whitetrash software application was removed as the project was abandoned in May 2014.
Guidelines for Data Transfers and Content Filtering
Data transfers
Changes to ‘data transfer process and procedures’ content.
12
Security control 0663 was modified to specify the development and implementation of a data transfer process and supporting data transfer procedures.
Security Control: 0663; Revision: 5; Updated: Aug-19; Applicability: O, P, S, TS; Priority: MustA data transfer process, and supporting data transfer procedures, is developed and implemented.
Minor changes to ‘data transfer approval’ content.
Minor changes to ‘preventing export of particularly important data to foreign systems’ content.
Security control 1535 was modified to specify the development and implement of an appropriate process to prevent data spills of particularly important information onto foreign systems.
Security Control: 1535; Revision: 1; Updated: Aug-19; Applicability: S, TS; Priority: MustA process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems.
Cyber Security Terminology
Glossary of abbreviations
Addition of ‘REL’ entry.
Removal of ‘CCMP’ entry.
Glossary of cyber security terms
Various minor grammar changes to entries.
Addition of ‘Australian Signals Directorate (ASD) Cryptographic Evaluation’ and ‘Releasable To information’ entries.
Removal of ‘nationality releasable information’ entry.
13
