Security compliance for web development in Australia
Security plays a key role in any digital platform, especially in the current environment of ever-increasing cyberthreats.
The three key security compliance areas that currently govern website security in the Australian government landscape are:
- The Australian Protective Security Framework
- The Australian Government Information Security Manual
- The Essential Eight
The Australian Protective Security Framework
The Protective Security Policy Framework (PSPF) provides advice and guidance on risk management and security controls. It also outlines minimum standards.
The PSPF is made up of 16 policies across:
- Governance
- Information
- Personnel
- Physical assets
Governance policies
- Policy 1: Role of the accountable
- Policy 2: Management structures and
- Policy 3: Security planning and risk
- Policy 4: Security maturity
- Policy 5: Reporting on
- Policy 6: Security governance for contracted goods and service
- Policy 7: Security governance for international
Information policies
- Policy 8: Sensitive and security classified
- Policy 9: Access to
- Policy 10: Safeguarding information from cyber
- Policy 11: Robust ICT
Personnel policies
Physical policies
You can find out more at our dedicated Australian Protective Security Framework insight or directly at the Protective Security Framework .
The Australian Government Information Security Manual
The Australian Cyber Security (ACSC) within the Australian Signals (ASD) produces a security standard. This standard is the Australian Government Information Security (ISM). The ISM outlines a cyber security framework to protect information and systems from cyber threats.
This framework is also used to assess systems for ‘authority to operate’ and to provide security certifications. This is done via the Infosec Registered Assessor (IRAP). The security certifications are:
- Unofficial
- Official
- Official:Sensitive
- Protected
- Secret
- Top Secret
Within this framework, applying for authority to operate and official security certification is an onerous process — as it should be.
The ISM’s principles and guidelines
The ISM contains a total of 24 across four key areas:
- Govern
- Protect
- Detect
- Respond
The ISM contains guidelines for:
- Cyber security roles
- Cyber security incidents
- Procurement and outsourcing
- Security documentation
- Physical security
- Personnel security
- Communications infrastructure
- Communications systems
- Enterprise mobility
- Evaluated products
- ICT equipment
- Media
- System hardening
- System management
- System monitoring
- Software development (which includes web application development)
- Database systems
- Networking (including online services)
- Cryptography
- Gateways
- Data transfers
Salsa and the ISM
Within each of these areas there are specific, detailed controls for organisations to meet. When working with clients who need security assessments (either a formal IRAP assessment or less formal security assessment), Salsa embeds a security stream into the main project build. Within that we’ve set up a standard process of:
- Using ISM to agree a statement of applicability, by reviewing all the ISM controls and ranking them as applicable or not applicable
- Compiling action plans for non-compliant controls
- Executing on the action plans to ensure compliance with ISM
The project/platform can then be security assessed, either formally through an IRAP assessment or less formally (but still independently) via an independent vulnerability assessment. We also help our clients develop a system security risk mitigation plan (SSRMP).
The Essential 8
The Australian Cyber Security Centre’s Essential are eight measures the Australian Government recommends all organisations take to safeguard against cyber threats.
The Essential Eight are:
Application whitelisting — create a ‘whitelist’ of applications that can run on your computer/system and only allow these applications to run.
Patching applications — All applications (e.g. web browsers, Microsoft Office, web content management systems, payroll software, etc.) should be patched within 48 hours of an ‘extreme risk’ patch being released and should be updated regularly outside of extreme risk patches.
Configuring Microsoft Office macro settings — An IT administrator should set up allowed macros as ‘trusted’ by creating a digitally signed macros.
Application hardening — Go through all applications and web browsers currently used in the organisation and make sure unused and at-risk features are disabled.
Restricting administrative privileges — Administrator logins should be restricted to users whose jobs clearly require them to have administrator access, and administrator accounts shouldn’t be used for reading email or browsing the web.
Patching operating systems — Use the latest operating system version available (and certainly don’t use unsupported versions).
Multi-factor authentication — Multi-factor authentication should be used for remote access and when users are doing certain actions or accessing sensitive data.
Daily backups — Do daily backups for all important (or perhaps all new/altered) data to ensure your data is still available in the event of a cyber incident.
The Essential Eight can also be mapped against the .
Salsa’s website security compliance
Salsa has strict security policies and processes in place for managing security. We have extensive experience working within the security frameworks of the ISM, IRAP assessments and the Essential Eight. We have experience building and maintaining a large, whole-of-government platform to an Official: Sensitive certification — .