-
Notifications
You must be signed in to change notification settings - Fork 2
/
ISM_E8_ML2-baseline-resolved-profile_catalog.xml
2858 lines (2858 loc) · 183 KB
/
ISM_E8_ML2-baseline-resolved-profile_catalog.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="UTF-8"?>
<catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0"
uuid="fdc3c9d1-35c0-4f9b-a378-356d9ef5d170">
<metadata>
<title>Information Security Manual Essential Eight Maturity Level Two Baseline</title>
<last-modified>2024-10-04T03:51:20.888273Z</last-modified>
<version>2024.10.4</version>
<oscal-version>1.1.2</oscal-version>
<prop name="resolution-tool" value="libOSCAL-Java+xslt"/>
<link rel="source-profile"
href="https://www.cyber.gov.au/ism/oscal/v2024.10.4/artifacts/ISM_E8_ML2-baseline_profile.xml"/>
<role id="prepared-by">
<title>Document creator</title>
</role>
<party type="organization" uuid="ae0012b5-2a98-4610-ba74-08928451a4c0">
<name>Australian Cyber Security Centre</name>
<short-name>ACSC</short-name>
<link href="https://www.cyber.gov.au" rel="homepage"/>
<email-address>[email protected]</email-address>
<address type="work">
<addr-line>Australian Cyber Security Centre</addr-line>
<addr-line>General enquiries</addr-line>
<addr-line>PO Box 5076</addr-line>
<city>Kingston</city>
<state>ACT</state>
<postal-code>2604</postal-code>
<country>AU</country>
</address>
</party>
<responsible-party role-id="prepared-by">
<party-uuid>ae0012b5-2a98-4610-ba74-08928451a4c0</party-uuid>
</responsible-party>
</metadata>
<group>
<title>Guidelines for Cyber Security Incidents</title>
<prop name="sort-id" value="catalog[1].group[04]"/>
<group>
<title>Managing cyber security incidents</title>
<prop name="sort-id" value="catalog[1].group[04].group[1]"/>
<part name="overview">
<h1>Cyber security events</h1>
<p>A cyber security event is an occurrence of a system, service or network state indicating a possible breach of security policy, failure of safeguards or a previously unknown situation that may be relevant to security.</p>
<h1>Cyber security incidents</h1>
<p>A cyber security incident is an unwanted or unexpected cyber security event, or a series of such events, that either has compromised business operations or has a significant probability of compromising business operations.</p>
<h1>Cyber resilience</h1>
<p>Cyber resilience is the ability to adapt to disruptions caused by cyber security incidents while maintaining continuous business operations. This includes the ability to detect, manage and recover from cyber security incidents.</p>
<h1>Detecting cyber security incidents</h1>
<p>One of the core elements of detecting and investigating cyber security incidents is the availability of appropriate data sources, such as event logs. The following event logs can be used by an organisation to assist with detecting and investigating cyber security incidents:</p>
<ul>
<li>
<strong>Cross Domain Solutions:</strong> May assist in identifying anomalous or malicious network traffic indicating an exploitation attempt or successful compromise.</li>
<li>
<strong>Databases:</strong> May assist in identifying anomalous or malicious application or user behaviour indicating an exploitation attempt or successful compromise.</li>
<li>
<strong>Domain Name System services:</strong> May assist in identifying attempts to resolve malicious domain names or Internet Protocol addresses indicating an exploitation attempt or successful compromise.</li>
<li>
<strong>Email servers:</strong> May assist in identifying users targeted with phishing emails thereby helping to identify the initial vector of a compromise.</li>
<li>
<strong>Gateways:</strong> May assist in identifying anomalous or malicious network traffic indicating an exploitation attempt or successful compromise.</li>
<li>
<strong>Multifunction devices:</strong> May assist in identifying anomalous or malicious user behaviour indicating a cyber security incident.</li>
<li>
<strong>Operating systems:</strong> May assist in identifying anomalous or malicious activity indicating an exploitation attempt or successful compromise.</li>
<li>
<strong>Remote access services:</strong> May assist in identifying unusual locations of access or times of access indicating an exploitation attempt or successful compromise.</li>
<li>
<strong>Security products:</strong> May assist in identifying anomalous or malicious application or network traffic indicating an exploitation attempt or successful compromise.</li>
<li>
<strong>Server applications:</strong> May assist in identifying anomalous or malicious application behaviour indicating an exploitation attempt or successful compromise.</li>
<li>
<strong>System access:</strong> May assist in identifying anomalous or malicious user behaviour indicating an exploitation attempt or successful compromise.</li>
<li>
<strong>User applications:</strong> May assist in identifying anomalous or malicious application or user behaviour indicating an exploitation attempt or successful compromise.</li>
<li>
<strong>Web applications:</strong> May assist in identifying anomalous or malicious application or user behaviour indicating an exploitation attempt or successful compromise.</li>
<li>
<strong>Web proxies:</strong> May assist in identifying anomalous or malicious network traffic indicating an exploitation attempt or successful compromise.</li>
</ul>
<h1>Further information</h1>
<p>Further information on event logging can be found in the event logging and monitoring section of the <a href="#edc24216-f52b-4513-bcda-5fa564661999">Guidelines for System Monitoring</a>.</p>
<p>Further information on cyber security incident response plans can be found in the system-specific security documentation section of the <a href="#578d0434-6b3f-46f3-aad8-c7ac75c2ebcc">Guidelines for Security Documentation</a>.</p>
<p>Further information on preparing for and responding to cyber security incidents can be found in ASD’s <a href="#403f72c6-3e85-4185-8df3-130b2a6b25b3">Cyber Security Incident Response Planning: Executive Guidance</a> and <a href="#041bce05-55ad-4a2a-93e3-c582d39fce94">Cyber Security Incident Response Planning: Practitioner Guidance</a> publications.</p>
<p>Further information on understanding, identifying and preventing the insider threat can be found in the Attorney-General’s Department’s <a href="#fb60e251-ed4c-4781-96db-58a0225bca89">Countering the Insider Threat: A Guide for Australian Government</a> publication.</p>
<p>Further information on developing, implementing and maintaining an insider threat mitigation program can be found in the United States’ Cybersecurity & Infrastructure Security Agency’s <a href="#c322926a-13b3-4efe-8573-06624418e8f5">Insider Threat Mitigation Guide</a>.</p>
<p>Further information on developing, implementing and maintaining an insider threat mitigation program can also be found in Carnegie Mellon University’s Software Engineering Institute’s <a href="#cad720b4-e47a-437d-b272-6958e738131d">Common Sense Guide to Mitigating Insider Threats, Sixth Edition</a> publication.</p>
<p>Further information on reporting of cyber security incidents by service providers can be found in the managed services and cloud services section of the <a href="#f37a4848-0791-4870-b316-5536c2681c28">Guidelines for Procurement and Outsourcing</a>.</p>
<p>Further information on <a href="#188466f6-be12-49ce-b99a-981e54b1663e">reporting cybercrime incidents</a> and <a href="#626d3582-3caf-49d6-89d5-4b8fdbbf1f31">reporting cyber security incidents</a> is available from ASD.</p>
</part>
<group>
<title>Reporting cyber security incidents</title>
<prop name="sort-id" value="catalog[1].group[04].group[1].group[5]"/>
<part name="overview">
<p>Reporting cyber security incidents to the Chief Information Security Officer, or one of their delegates, as soon as possible after they occur or are discovered provides senior management with the opportunity to assess the impact to their organisation and to oversee any cyber security incident response activities. Note, an organisation should also be cognisant of any legislative obligations regarding the reporting of cyber security incidents to authorities.</p>
</part>
<control id="ism-0123" class="ISM-control">
<title>Control: ism-0123</title>
<prop name="sort-id"
value="catalog[1].group[04].group[1].group[5].control[1]"/>
<prop name="revision"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="4"/>
<prop name="updated"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="Jun-23"/>
<prop name="applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ALL"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML2"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML3"/>
<part id="ism-0123_smt" name="statement">
<p>Cyber security incidents are reported to the Chief Information Security Officer, or one of their delegates, as soon as possible after they occur or are discovered.</p>
</part>
</control>
</group>
<group>
<title>Reporting cyber security incidents to ASD</title>
<prop name="sort-id" value="catalog[1].group[04].group[1].group[6]"/>
<part name="overview">
<p>The Australian Signals Directorate (ASD) uses the cyber security incident reports it receives as the basis for providing assistance to organisations. Cyber security incident reports are also used by ASD to identify trends and maintain an accurate threat environment picture. ASD utilises this understanding to assist in the development of new and updated cyber security advice, capabilities, and techniques to better prevent and respond to evolving cyber threats. An organisation is recommended to internally coordinate their reporting of cyber security incidents to ASD. Note, an organisation should also be cognisant of any legislative obligations regarding the reporting of cyber security incidents to ASD.</p>
<p>The types of cyber security incidents that should be reported to ASD include:</p>
<ul>
<li>suspicious privileged user account lockouts</li>
<li>suspicious remote access authentication events</li>
<li>service accounts suspiciously communicating with internet-based infrastructure</li>
<li>compromise of sensitive or classified data</li>
<li>unauthorised access or attempts to access a system</li>
<li>emails with suspicious attachments or links</li>
<li>denial-of-service attacks</li>
<li>ransomware attacks</li>
<li>suspected tampering of electronic devices.</li>
</ul>
</part>
<control id="ism-0140" class="ISM-control">
<title>Control: ism-0140</title>
<prop name="sort-id"
value="catalog[1].group[04].group[1].group[6].control[1]"/>
<prop name="revision"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="8"/>
<prop name="updated"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="Sep-23"/>
<prop name="applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ALL"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML2"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML3"/>
<part id="ism-0140_smt" name="statement">
<p>Cyber security incidents are reported to ASD as soon as possible after they occur or are discovered.</p>
</part>
</control>
</group>
</group>
<group>
<title>Responding to cyber security incidents</title>
<prop name="sort-id" value="catalog[1].group[04].group[2]"/>
<part name="overview">
<h1>Further information</h1>
<p>Further information on cyber security incident response plans can be found in the system-specific security documentation section of the <a href="#578d0434-6b3f-46f3-aad8-c7ac75c2ebcc">Guidelines for Security Documentation</a>.</p>
<p>Further information on handling malicious code infections can be found in National Institute of Standards and Technology Special Publication 800-61 Rev. 2, <a href="#f48c0d05-5173-4c8e-8748-e5591518c1fb">Computer Security Incident Handling Guide</a>.</p>
</part>
<group>
<title>Enacting cyber security incident response plans</title>
<prop name="sort-id" value="catalog[1].group[04].group[2].group[1]"/>
<part name="overview">
<p>Following a cyber security incident being identified, an organisation’s cyber security incident response plan should be enacted.</p>
</part>
<control id="ism-1819" class="ISM-control">
<title>Control: ism-1819</title>
<prop name="sort-id"
value="catalog[1].group[04].group[2].group[1].control[1]"/>
<prop name="revision"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="2"/>
<prop name="updated"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="Dec-23"/>
<prop name="applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ALL"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML2"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML3"/>
<part id="ism-1819_smt" name="statement">
<p>Following the identification of a cyber security incident, the cyber security incident response plan is enacted.</p>
</part>
</control>
</group>
</group>
</group>
<group>
<title>Guidelines for Personnel Security</title>
<prop name="sort-id" value="catalog[1].group[08]"/>
<group>
<title>Access to systems and their resources</title>
<prop name="sort-id" value="catalog[1].group[08].group[2]"/>
<part name="overview">
<h1>Security clearances</h1>
<p>Where these guidelines refer to security clearances, it applies to Australian security clearances or security clearances from a foreign government which are formally recognised by Australia.</p>
<h1>Further information</h1>
<p>Further information on access to government resources, including required security clearances, can be found in the Department of Home Affairs’ <a href="#92679127-f61d-486a-a93e-df2a26dfb07a">Protective Security Policy Framework</a>.</p>
<p>Further information on access to highly sensitive government resources, including required briefings, can be found in the Government Security Committee’s Australian Government Security Caveat Guidelines. This publication is available from the Protective Security Policy GovTEAMS community or the Australian Security Intelligence Organisation by email.</p>
<p>Further information on restricting the use of privileged user accounts can be found in ASD’s <a href="#3ccea9a8-a728-4f5b-a0a8-43f2f206f76b">Restricting Administrative Privileges</a> publication.</p>
<p>Further information on administering systems and applications can be found in the system administration section of the <a href="#c6ca6620-ccd5-4c5d-b97c-9d92f1162948">Guidelines for System Management</a>.</p>
<p>Further information on event logging can be found in the event logging and monitoring section of the <a href="#edc24216-f52b-4513-bcda-5fa564661999">Guidelines for System Monitoring</a>.</p>
</part>
<group>
<title>Privileged access to systems</title>
<prop name="sort-id" value="catalog[1].group[08].group[2].group[06]"/>
<part name="overview">
<p>Privileged user accounts are considered to be those which can alter or circumvent a system’s controls. This also applies to user accounts that may only have limited privileges but still have the ability to bypass some of a system’s controls.</p>
<p>Privileged user accounts are often targeted by malicious actors as they can potentially give full access to systems. As such, ensuring that privileged user accounts are prevented from accessing the internet, email and web services minimises opportunities for these accounts to be compromised. However, if privileged user accounts are explicitly authorised to access online services, they should be strictly limited to only what is required for users and services to undertake their duties.</p>
<p>Finally, centrally logging and analysing privileged access events, as well as privileged user account and security group management events, can assist in monitoring the security posture of systems, detecting malicious behaviour and contributing to investigations following cyber security incidents.</p>
</part>
<control id="ism-1507" class="ISM-control">
<title>Control: ism-1507</title>
<prop name="sort-id"
value="catalog[1].group[08].group[2].group[06].control[1]"/>
<prop name="revision"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="3"/>
<prop name="updated"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="Dec-23"/>
<prop name="applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ALL"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML1"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML2"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML3"/>
<part id="ism-1507_smt" name="statement">
<p>Requests for privileged access to systems, applications and data repositories are validated when first requested.</p>
</part>
</control>
<control id="ism-1175" class="ISM-control">
<title>Control: ism-1175</title>
<prop name="sort-id"
value="catalog[1].group[08].group[2].group[06].control[3]"/>
<prop name="revision"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="6"/>
<prop name="updated"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="Sep-24"/>
<prop name="applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ALL"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML1"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML2"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML3"/>
<part id="ism-1175_smt" name="statement">
<p>Privileged user accounts (excluding those explicitly authorised to access online services) are prevented from accessing the internet, email and web services.</p>
</part>
</control>
<control id="ism-1883" class="ISM-control">
<title>Control: ism-1883</title>
<prop name="sort-id"
value="catalog[1].group[08].group[2].group[06].control[4]"/>
<prop name="revision"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="1"/>
<prop name="updated"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="Sep-24"/>
<prop name="applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ALL"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML1"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML2"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML3"/>
<part id="ism-1883_smt" name="statement">
<p>Privileged user accounts explicitly authorised to access online services are strictly limited to only what is required for users and services to undertake their duties.</p>
</part>
</control>
<control id="ism-0445" class="ISM-control">
<title>Control: ism-0445</title>
<prop name="sort-id"
value="catalog[1].group[08].group[2].group[06].control[6]"/>
<prop name="revision"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="8"/>
<prop name="updated"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="Sep-24"/>
<prop name="applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ALL"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML1"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML2"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML3"/>
<part id="ism-0445_smt" name="statement">
<p>Privileged users are assigned a dedicated privileged user account to be used solely for duties requiring privileged access.</p>
</part>
</control>
<control id="ism-1509" class="ISM-control">
<title>Control: ism-1509</title>
<prop name="sort-id"
value="catalog[1].group[08].group[2].group[06].control[8]"/>
<prop name="revision"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="3"/>
<prop name="updated"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="Dec-23"/>
<prop name="applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ALL"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML2"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML3"/>
<part id="ism-1509_smt" name="statement">
<p>Privileged access events are centrally logged.</p>
</part>
</control>
<control id="ism-1650" class="ISM-control">
<title>Control: ism-1650</title>
<prop name="sort-id"
value="catalog[1].group[08].group[2].group[06].control[9]"/>
<prop name="revision"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="3"/>
<prop name="updated"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="Sep-24"/>
<prop name="applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ALL"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML2"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML3"/>
<part id="ism-1650_smt" name="statement">
<p>Privileged user account and security group management events are centrally logged.</p>
</part>
</control>
</group>
<group>
<title>Suspension of access to systems</title>
<prop name="sort-id" value="catalog[1].group[08].group[2].group[08]"/>
<part name="overview">
<p>Removing or suspending access to systems, applications and data repositories, ideally using an automatic mechanism where possible, can prevent them from being accessed when there is no longer a legitimate business requirement for their use, such as when personnel change duties, leave an organisation or are detected undertaking malicious activities.</p>
</part>
<control id="ism-1648" class="ISM-control">
<title>Control: ism-1648</title>
<prop name="sort-id"
value="catalog[1].group[08].group[2].group[08].control[4]"/>
<prop name="revision"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="1"/>
<prop name="updated"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="Dec-23"/>
<prop name="applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ALL"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML2"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML3"/>
<part id="ism-1648_smt" name="statement">
<p>Privileged access to systems and applications is disabled after 45 days of inactivity.</p>
</part>
</control>
<control id="ism-1647" class="ISM-control">
<title>Control: ism-1647</title>
<prop name="sort-id"
value="catalog[1].group[08].group[2].group[08].control[6]"/>
<prop name="revision"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="1"/>
<prop name="updated"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="Dec-23"/>
<prop name="applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ALL"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML2"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML3"/>
<part id="ism-1647_smt" name="statement">
<p>Privileged access to systems, applications and data repositories is disabled after 12 months unless revalidated.</p>
</part>
</control>
</group>
</group>
</group>
<group>
<title>Guidelines for System Hardening</title>
<prop name="sort-id" value="catalog[1].group[15]"/>
<group>
<title>Operating system hardening</title>
<prop name="sort-id" value="catalog[1].group[15].group[1]"/>
<part name="overview">
<h1>Further information</h1>
<p>Further information on cyber supply chain risk management can be found in the cyber supply chain risk management section of the <a href="#f37a4848-0791-4870-b316-5536c2681c28">Guidelines for Procurement and Outsourcing</a>.</p>
<p>Further information on patching or updating operating systems can be found in the system patching section of the <a href="#c6ca6620-ccd5-4c5d-b97c-9d92f1162948">Guidelines for System Management</a>.</p>
<p>Further information on hardening Microsoft Windows operating systems can be found in ASD’s <a href="#6e801c68-61f6-4c28-bf72-df91f7e232cc">Hardening Microsoft Windows 10 and Windows 11 Workstations</a> publication.</p>
<p>Further information on hardening Microsoft Windows operating systems can also be found in the <a href="#0bf3a1ef-031a-419b-80c3-08a08b1cee9d">Microsoft Security Baselines Blog</a>.</p>
<p>Further information on hardening Linux workstations and servers can be found in ASD’s <a href="#8132c47e-a2dc-4dd9-81d6-38db96e5cec6">Hardening Linux Workstations and Servers</a> publication.</p>
<p>Further information on <a href="#d0df96bb-7236-4784-8f54-2cb6335ad228">exploit protection functionality</a> within Microsoft Windows is available from Microsoft.</p>
<p>Further information on implementing application control can be found in ASD’s <a href="#4eeff329-cea0-4baf-a80b-8b0b76436075">Implementing Application Control</a> publication.</p>
<p>Further information on Microsoft’s <a href="#5a2ed3ef-afcc-485e-8014-5107e9ed97e3">recommended application blocklist</a> and <a href="#4a3a265f-7772-433b-9906-7f784052f28b">vulnerable driver blocklist</a> are available from Microsoft.</p>
<p>Further information on <a href="#0a1508c0-b062-4d85-8ded-a95316e17a3a">command line process logging</a> is available from Microsoft.</p>
<p>Further information on the use of PowerShell can be found in ASD’s <a href="#8ffea524-0974-4b53-a8f5-41166073ede5">Securing PowerShell in the Enterprise</a> publication.</p>
<p>Further information on <a href="#7d22400c-ddef-4cbb-90f1-7502dc569e5b">the use of PowerShell by blue teams</a> is available from Microsoft.</p>
<p>Further information on obtaining <a href="#af0810aa-3486-4ca6-a48a-fad8ce9ac193">greater visibility through PowerShell logging</a> is available from Mandiant.</p>
<p>Further information on independent testing of security products’ ability to <a href="#3a1a00f6-2f56-4d04-b99d-6f1682b95a98">detect or prevent various stages of network intrusions</a> is available from The MITRE Corporation.</p>
<p>Further information on independent testing of antivirus software is available from <a href="#c852e735-4920-4616-8e34-2fddfb49eea8">AV-Comparatives</a> and <a href="#18203e18-2aca-492e-be44-770b2f47242f">AV-TEST</a>.</p>
<p>Further information on the use of removable media can be found in the media usage section of the <a href="#b594c9c0-b42f-4f06-b643-38023275a5c7">Guidelines for Media</a>.</p>
<p>Further information on event logging can be found in the event logging and monitoring section of the <a href="#edc24216-f52b-4513-bcda-5fa564661999">Guidelines for System Monitoring</a>.</p>
</part>
<group>
<title>Hardening operating system configurations</title>
<prop name="sort-id" value="catalog[1].group[15].group[1].group[04]"/>
<part name="overview">
<p>When operating systems are deployed in their default state, or with an unapproved configuration, it can lead to an insecure operating environment that may allow malicious actors to gain an initial foothold on networks. Many settings exist within operating systems to allow them to be configured in an approved secure state in order to minimise this security risk. As such, the Australian Signals Directorate (ASD) and vendors often produce hardening guidance to assist in hardening the configuration of operating systems. Note, however, in situations where ASD and vendor hardening guidance conflicts, precedence should be given to implementing the most restrictive guidance.</p>
</part>
<control id="ism-1654" class="ISM-control">
<title>Control: ism-1654</title>
<prop name="sort-id"
value="catalog[1].group[15].group[1].group[04].control[06]"/>
<prop name="revision"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="0"/>
<prop name="updated"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="Sep-21"/>
<prop name="applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ALL"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML1"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML2"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML3"/>
<part id="ism-1654_smt" name="statement">
<p>Internet Explorer 11 is disabled or removed.</p>
</part>
</control>
</group>
<group>
<title>Application control</title>
<prop name="sort-id" value="catalog[1].group[15].group[1].group[06]"/>
<part name="overview">
<p>Application control can be an effective way to not only prevent malicious code from executing on workstations and servers, but also to ensure only approved applications can execute. When developing application control rulesets, determining approved executables (e.g. .exe and .com files), software libraries (e.g. .dll and.ocx files), scripts (e.g. .ps1, .bat, .cmd, .vbs and .js files), installers (e.g. .msi, .msp and .mst files), compiled HTML (e.g. .chm files), HTML applications (e.g. .hta files), control panel applets (e.g. .cpl files) and drivers based on business requirements is a more secure method than simply approving those already residing on a workstation or server. Furthermore, it is preferable that an organisation defines their own application control rulesets, rather than relying on those from application control vendors, and validate them on an annual or more frequent basis.</p>
<p>In implementing application control, an organisation should use a reliable method, or combination of methods, such as cryptographic hash rules, publisher certificate rules or path rules. Depending on the method chosen, further hardening may be required to ensure that application control mechanisms and application control rulesets cannot be bypassed by malicious actors.</p>
<p>Finally, centrally logging and analysing application control events can assist in monitoring the security posture of systems, detecting malicious behaviour and contributing to investigations following cyber security incidents.</p>
</part>
<control id="ism-0843" class="ISM-control">
<title>Control: ism-0843</title>
<prop name="sort-id"
value="catalog[1].group[15].group[1].group[06].control[01]"/>
<prop name="revision"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="9"/>
<prop name="updated"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="Sep-21"/>
<prop name="applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ALL"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML1"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML2"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML3"/>
<part id="ism-0843_smt" name="statement">
<p>Application control is implemented on workstations.</p>
</part>
</control>
<control id="ism-1490" class="ISM-control">
<title>Control: ism-1490</title>
<prop name="sort-id"
value="catalog[1].group[15].group[1].group[06].control[02]"/>
<prop name="revision"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="3"/>
<prop name="updated"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="Sep-21"/>
<prop name="applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ALL"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML2"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML3"/>
<part id="ism-1490_smt" name="statement">
<p>Application control is implemented on internet-facing servers.</p>
</part>
</control>
<control id="ism-1870" class="ISM-control">
<title>Control: ism-1870</title>
<prop name="sort-id"
value="catalog[1].group[15].group[1].group[06].control[04]"/>
<prop name="revision"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="0"/>
<prop name="updated"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="Sep-23"/>
<prop name="applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ALL"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML1"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML2"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML3"/>
<part id="ism-1870_smt" name="statement">
<p>Application control is applied to user profiles and temporary folders used by operating systems, web browsers and email clients.</p>
</part>
</control>
<control id="ism-1871" class="ISM-control">
<title>Control: ism-1871</title>
<prop name="sort-id"
value="catalog[1].group[15].group[1].group[06].control[05]"/>
<prop name="revision"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="0"/>
<prop name="updated"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="Sep-23"/>
<prop name="applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ALL"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML2"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML3"/>
<part id="ism-1871_smt" name="statement">
<p>Application control is applied to all locations other than user profiles and temporary folders used by operating systems, web browsers and email clients.</p>
</part>
</control>
<control id="ism-1657" class="ISM-control">
<title>Control: ism-1657</title>
<prop name="sort-id"
value="catalog[1].group[15].group[1].group[06].control[06]"/>
<prop name="revision"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="0"/>
<prop name="updated"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="Sep-21"/>
<prop name="applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ALL"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML1"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML2"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML3"/>
<part id="ism-1657_smt" name="statement">
<p>Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set.</p>
</part>
</control>
<control id="ism-1544" class="ISM-control">
<title>Control: ism-1544</title>
<prop name="sort-id"
value="catalog[1].group[15].group[1].group[06].control[12]"/>
<prop name="revision"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="3"/>
<prop name="updated"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="Dec-23"/>
<prop name="applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ALL"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML2"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML3"/>
<part id="ism-1544_smt" name="statement">
<p>Microsoft’s recommended application blocklist is implemented.</p>
</part>
</control>
<control id="ism-1582" class="ISM-control">
<title>Control: ism-1582</title>
<prop name="sort-id"
value="catalog[1].group[15].group[1].group[06].control[14]"/>
<prop name="revision"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="1"/>
<prop name="updated"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="Sep-21"/>
<prop name="applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ALL"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML2"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML3"/>
<part id="ism-1582_smt" name="statement">
<p>Application control rulesets are validated on an annual or more frequent basis.</p>
</part>
</control>
<control id="ism-1660" class="ISM-control">
<title>Control: ism-1660</title>
<prop name="sort-id"
value="catalog[1].group[15].group[1].group[06].control[16]"/>
<prop name="revision"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="2"/>
<prop name="updated"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="Dec-23"/>
<prop name="applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ALL"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML2"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML3"/>
<part id="ism-1660_smt" name="statement">
<p>Allowed and blocked application control events are centrally logged.</p>
</part>
</control>
</group>
<group>
<title>Command Shell</title>
<prop name="sort-id" value="catalog[1].group[15].group[1].group[07]"/>
<part name="overview">
<p>The Command shell was the first shell developed by Microsoft to assist with the automation of routine system administration tasks, such as running Windows Commands via batch scripts. However, the Command shell can also be used by malicious actors to run Windows Commands on compromised systems. As such, centrally logging and analysing command line process creation events can assist in monitoring the security posture of systems, detecting malicious behaviour and contributing to investigations following cyber security incidents.</p>
</part>
<control id="ism-1889" class="ISM-control">
<title>Control: ism-1889</title>
<prop name="sort-id"
value="catalog[1].group[15].group[1].group[07].control[1]"/>
<prop name="revision"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="0"/>
<prop name="updated"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="Dec-23"/>
<prop name="applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ALL"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML2"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML3"/>
<part id="ism-1889_smt" name="statement">
<p>Command line process creation events are centrally logged.</p>
</part>
</control>
</group>
<group>
<title>PowerShell</title>
<prop name="sort-id" value="catalog[1].group[15].group[1].group[08]"/>
<part name="overview">
<p>PowerShell is a powerful scripting language developed by Microsoft and, due to its ubiquity and ease with which it can be used to fully control operating systems, is an important part of system administrator toolkits. However, PowerShell can also be a dangerous exploitation tool in the hands of malicious actors.</p>
<p>In order to prevent attacks leveraging vulnerabilities in earlier PowerShell versions, Windows PowerShell 2.0 should be disabled or removed from operating systems. Additionally, PowerShell’s language mode should be set to Constrained Language Mode to achieve a balance between security and functionality.</p>
<p>Finally, centrally logging and analysing PowerShell events can assist in monitoring the security posture of systems, detecting malicious behaviour and contributing to investigations following cyber security incidents.</p>
</part>
<control id="ism-1623" class="ISM-control">
<title>Control: ism-1623</title>
<prop name="sort-id"
value="catalog[1].group[15].group[1].group[08].control[3]"/>
<prop name="revision"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="1"/>
<prop name="updated"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="Dec-23"/>
<prop name="applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ALL"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML2"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML3"/>
<part id="ism-1623_smt" name="statement">
<p>PowerShell module logging, script block logging and transcription events are centrally logged.</p>
</part>
</control>
</group>
</group>
<group>
<title>User application hardening</title>
<prop name="sort-id" value="catalog[1].group[15].group[2]"/>
<part name="overview">
<h1>User applications</h1>
<p>This section is applicable to applications typically installed on user workstations, such as office productivity suites, web browsers and their extensions, email clients, Portable Document Format (PDF) software, and security products (e.g. antivirus software, device access control software, HIPS and software firewalls). Information on server applications can be found in the server application hardening section of these guidelines.</p>
<h1>Further information</h1>
<p>Further information on cyber supply chain risk management can be found in the cyber supply chain risk management section of the <a href="#f37a4848-0791-4870-b316-5536c2681c28">Guidelines for Procurement and Outsourcing</a>.</p>
<p>Further information on patching or updating user applications can be found in the system patching section of the <a href="#c6ca6620-ccd5-4c5d-b97c-9d92f1162948">Guidelines for System Management</a>.</p>
<p>Further information on the implementation and configuration of security products can be found in the operating system hardening section of these guidelines.</p>
<p>Further information on hardening Microsoft Office can be found in ASD’s <a href="#58c9abfb-58fe-416e-a279-dfbfe123c99f">Hardening Microsoft 365, Office 2021, Office 2019 and Office 2016</a> publication.</p>
<p>Further information on hardening Microsoft Office can also be found on the <a href="#0bf3a1ef-031a-419b-80c3-08a08b1cee9d">Microsoft Security Baselines Blog</a>.</p>
<p>Further information on hardening Microsoft Edge can be found on the <a href="#0bf3a1ef-031a-419b-80c3-08a08b1cee9d">Microsoft Security Baselines Blog</a>.</p>
<p>Further information on hardening Google Chrome can be found in Google’s <a href="#741ab440-5759-4571-894d-e499dea3a54c">Chrome Browser Enterprise Security Configuration Guide (Windows)</a>.</p>
<p>Further information on hardening Adobe Reader and Adobe Acrobat can be found in Adobe’s <a href="#9ad09461-7b3d-4faf-bdcd-61df9952cf49">Security Configuration Guide for Acrobat</a> publication.</p>
<p>Further information on Microsoft’s attack surface reduction rules can be found on Microsoft’s <a href="#82ae76a4-ed9e-4a7b-8bad-f1950c41eab7">attack surface reduction rules overview</a> website.</p>
<p>Further information on configuring Microsoft Office macro settings can be found in ASD’s <a href="#dfb52998-0e7e-420d-97e1-d1313c8f919a">Restricting Microsoft Office Macros</a> publication.</p>
<p>Further information on event logging can be found in the event logging and monitoring section of the <a href="#edc24216-f52b-4513-bcda-5fa564661999">Guidelines for System Monitoring</a>.</p>
</part>
<group>
<title>Hardening user application configurations</title>
<prop name="sort-id" value="catalog[1].group[15].group[2].group[3]"/>
<part name="overview">
<p>When user applications are deployed in their default state, or with an unapproved configuration, it can lead to an insecure operating environment that may allow malicious actors to gain an initial foothold on networks. This can be especially risky for office productivity suites, web browsers and their extensions, email clients, PDF software, and security products as such applications are routinely targeted for exploitation. Many settings exist within such applications to allow them to be configured in an approved secure state in order to minimise this security risk. As such, ASD and vendors often produce hardening guidance to assist in hardening the configuration of these applications. Note, however, in situations where ASD and vendor hardening guidance conflicts, precedence should be given to implementing the most restrictive guidance.</p>
</part>
<control id="ism-1667" class="ISM-control">
<title>Control: ism-1667</title>
<prop name="sort-id"
value="catalog[1].group[15].group[2].group[3].control[05]"/>
<prop name="revision"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="0"/>
<prop name="updated"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="Sep-21"/>
<prop name="applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ALL"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML2"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML3"/>
<part id="ism-1667_smt" name="statement">
<p>Microsoft Office is blocked from creating child processes.</p>
</part>
</control>
<control id="ism-1668" class="ISM-control">
<title>Control: ism-1668</title>
<prop name="sort-id"
value="catalog[1].group[15].group[2].group[3].control[06]"/>
<prop name="revision"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="0"/>
<prop name="updated"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="Sep-21"/>
<prop name="applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ALL"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML2"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML3"/>
<part id="ism-1668_smt" name="statement">
<p>Microsoft Office is blocked from creating executable content.</p>
</part>
</control>
<control id="ism-1669" class="ISM-control">
<title>Control: ism-1669</title>
<prop name="sort-id"
value="catalog[1].group[15].group[2].group[3].control[07]"/>
<prop name="revision"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="0"/>
<prop name="updated"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="Sep-21"/>
<prop name="applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ALL"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML2"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML3"/>
<part id="ism-1669_smt" name="statement">
<p>Microsoft Office is blocked from injecting code into other processes.</p>
</part>
</control>
<control id="ism-1542" class="ISM-control">
<title>Control: ism-1542</title>
<prop name="sort-id"
value="catalog[1].group[15].group[2].group[3].control[08]"/>
<prop name="revision"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="0"/>
<prop name="updated"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="Jan-19"/>
<prop name="applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ALL"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML2"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML3"/>
<part id="ism-1542_smt" name="statement">
<p>Microsoft Office is configured to prevent activation of Object Linking and Embedding packages.</p>
</part>
</control>
<control id="ism-1859" class="ISM-control">
<title>Control: ism-1859</title>
<prop name="sort-id"
value="catalog[1].group[15].group[2].group[3].control[09]"/>
<prop name="revision"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="2"/>
<prop name="updated"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="Dec-23"/>
<prop name="applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ALL"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML2"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML3"/>
<part id="ism-1859_smt" name="statement">
<p>Office productivity suites are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.</p>
</part>
</control>
<control id="ism-1823" class="ISM-control">
<title>Control: ism-1823</title>
<prop name="sort-id"
value="catalog[1].group[15].group[2].group[3].control[10]"/>
<prop name="revision"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="0"/>
<prop name="updated"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="Mar-23"/>
<prop name="applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ALL"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML2"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML3"/>
<part id="ism-1823_smt" name="statement">
<p>Office productivity suite security settings cannot be changed by users.</p>
</part>
</control>
<control id="ism-1486" class="ISM-control">
<title>Control: ism-1486</title>
<prop name="sort-id"
value="catalog[1].group[15].group[2].group[3].control[11]"/>
<prop name="revision"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="1"/>
<prop name="updated"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="Sep-21"/>
<prop name="applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ALL"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML1"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML2"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML3"/>
<part id="ism-1486_smt" name="statement">
<p>Web browsers do not process Java from the internet.</p>
</part>
</control>
<control id="ism-1485" class="ISM-control">
<title>Control: ism-1485</title>
<prop name="sort-id"
value="catalog[1].group[15].group[2].group[3].control[12]"/>
<prop name="revision"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="1"/>
<prop name="updated"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="Sep-21"/>
<prop name="applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ALL"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML1"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML2"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML3"/>
<part id="ism-1485_smt" name="statement">
<p>Web browsers do not process web advertisements from the internet.</p>
</part>
</control>
<control id="ism-1412" class="ISM-control">
<title>Control: ism-1412</title>
<prop name="sort-id"
value="catalog[1].group[15].group[2].group[3].control[13]"/>
<prop name="revision"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="6"/>
<prop name="updated"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="Dec-23"/>
<prop name="applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ALL"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML2"/>
<prop name="essential-eight-applicability"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="ML3"/>
<part id="ism-1412_smt" name="statement">
<p>Web browsers are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.</p>
</part>
</control>
<control id="ism-1585" class="ISM-control">
<title>Control: ism-1585</title>
<prop name="sort-id"
value="catalog[1].group[15].group[2].group[3].control[14]"/>
<prop name="revision"
ns="https://cyber.gov.au/ns/ism/oscal/2.0"
value="2"/>
<prop name="updated"