Defence Industry Security Program (DISP) maintains an active assurance and uplift program. The assurance program ensures DISP members meet and maintain their security responsibilities commensurate to their DISP membership requirements.
DISP members are required to maintain their membership as outlined under Defence Security Principles Framework (DSPF) Principle 16 Control 16.1, as well as the broader security requirements of the DSPF and Protective Security Policy Framework (PSPF). DISP members are also required to engage with assurance and uplift activities conducted by DISP and implement recommendations within mutually agreed timeframes.
Defence Industry Security Branch (DISB) assurance activities support members to:
- Understand and meet DISP membership obligations, and broader Defence security requirements.
- Review security practices within their organisation.
- Make recommendations to uplift and improve their security posture.
- Identify improvements in their security control framework.
- Access security advice and information, including on cyber security.
- Access exclusive information and analysis.
- Better understand their security risks and vulnerabilities.
- Improve security tools and processes.
- Give confidence to Defence and other Australian and foreign Government entities when supplying services.
DISP aims to collaborate with members in the assurance process to continually review and improve security practices across Defence industry in order to safeguard Australia’s interests.
DISP members are expected to proactively engage with assurance activities with the objective of reviewing and improving security practices across the DISP membership base. The implementation of recommendations within mutually agreed timeframes is a requirement under DISP membership, and will be monitored and supported by the DISB audit team.
DISB assurance activities start at the point of application and continue throughout membership.
Entry Level Assessment
The Entry Level Assessment (ELA) is a security governance assessment conducted as part of the DISP application process to ensure an entity meets the requirements of the DISP membership levels requested.
The ELA process includes a review of security documentation, a phone interview with security staff and the completion of the Cyber Security Questionnaire (CSQ).
The entity must address any identified gaps prior to DISP membership.
More information on the roles and responsibilities of the SO and CSO can be found under Maintaining membership
Ongoing Suitability Assessment
An Ongoing Suitability Assessment (OSA) is a desktop audit to ensure that members are continuing to meet Defence security obligations. OSA selection is an outcome of an internal risk-based framework. An OSA will assess DISP member’s compliance with a selection of security requirements across all 4 DISP security domains.
The OSA process includes a review of security documentation, a phone interview with security staff and the completion of a cyber questionnaire. This activity assists DISP members to review, and where needed, improve their security policies, procedures, and risk management.
Deep dive audit
The DISP approach to is one of collaboration.The objective of a DDA is to ascertain the extent of an entity’s compliance with requirements of DSPF control 16.1 through a detailed assessment (including site visits) of the adequacy of security processes and controls in place, and if needed, help to uplift an entity’s security posture.
The selection of an entity for inclusion in a DDA is based on an internal risk-based selection framework.
All identified security uplift activities or opportunities for improvement are discussed, and a draft report for review and comment is provided prior to being finalised.
The DISP audit team monitors the implementation of all DDA recommendations.
Annual Security Report
An Annual Security Report is a self-attestation of compliance with security obligations under DSPF which is due on the anniversary of the DISP membership certificate.
The Security Officer (SO) is responsible for starting, editing and submitting the ASR to the Chief Security Officer (CSO).
The CSO is responsible for reviewing, declaring and final submission of the ASR.
More information on the roles and responsibilities of the SO and CSO can be found under the Maintaining membership page.
Submit the ASR on the DISP Member Portal.
Cyber Security Questionnaire
Given the dynamic threat landscape, investing in cyber security standards is paramount.
Entities working on, supplying, storing or maintaining Defence-related information, makes the organisation a target for cyber threat actors and cyber security incidents.
It is important to maintain an appropriate level of cyber security standards and maturity to understand, prevent and manage cyber security risks.
During the DISP application stage, an organisation’s cyber security posture and corporate network used to correspond with Defence is assessed. This includes identifying risks and gaps. DISP provides guidance to improve the entity’s cyber security posture.
Entities are required to complete the Essential Eight Cyber Security Questionnaire (CSQ) as part of their ASR over the reporting period from October 2024 – October 2025. Once an entity has completed the Essential Eight CSQ, as part of their ASR, the CSQ will become part of ongoing assurance activities.
The DISP cyber security technical standards assess entities against the uplifted DISP Security Standards including the full Essential Eight at Maturity Level 2.
The Essential Eight Mitigation Strategies include:
- application control
- patch applications
- restrict administrative privileges
- patch operating systems
- configure Microsoft Office macro settings
- user application hardening
- multi-factor authentication
- regular backups.
It is recommended an authorised representative with sufficient knowledge of an organisation’s ICT infrastructure complete the CSQ.
In-complete answers or insufficient information may delay the application.
The CSQ includes Part B with 107 controls for the Essential Eight. DISP recommends that entities allow for early planning to ensure enough time is provided to complete the CSQ.
The DISP CSQ is aligned with Maturity Level 2 of Australian Signals Directorate's Essential Eight . Guidelines to assist understanding and implementing controls can be found on the Essential Eight Assessment Process Guide.
Essential Eight Cyber Standards Uplift Program
As part of the DISP Essential Eight Cyber Standards Uplift Program, entities are required to answer questions about their implementation of the full Essential Eight at Maturity Level 2,
After an entity completes the CSQ, a point-in-time cyber security assessment will be undertaken.
Following the cyber assessment, an Essential Eight maturity level will be determined, and an uplift program may be required to meet Maturity Level 2.
The DISP Cyber Team will contact the entity to coordinate and support a maturity action plan.
Understanding Essential Eight
| Mitigation Strategy | What | Why |
|---|---|---|
| Application control | Checking programs against a pre-defined approved list and blocking all programs not on this list | Unapproved programs including malware are unable to start and preventing attackers from running programs which enable them to gain access or steal data |
| Patch applications | Apply security fixes/patches or mitigations (temporary workarounds) for programs within a timely manner (48 Hours for internet reachable applications). Do not use applications which are out-of-support and do not receive security fixes | Unpatched applications can be exploited by attackers and in the worst case enable an attacker to completely takeover an application, access all information contained within and use this access to access connected systems |
| Configure MS Office macro settings | Only allow Office macros (automated commands) where there is a business requirement and restrict the type of commands a macro can execute. Also monitor usage of Macros. | Macros can be used to run automated malicious commands that could let an attacker download and install malware |
| User application hardening | Configure key programs (web browsers, office, PDF software, etc.) to apply settings that will make it more difficult for an attacker to successfully run commands to install malware | Default settings on key programs like web browsers may not be the most secure configuration. Making changes will help reduce the ability of a compromised/malicious website from successfully downloading and installing malware. |
| Restrict administrative privileges | Limit how accounts with the ability to administer and alter key system and security settings can be accessed and used. | Administrator accounts are ‘the keys to the kingdom’ and so controlling their use will make it more difficult for an attacker to identify and successfully gain access to one of these accounts which would give them significant control over systems |
| Patch operating systems | Apply security fixes/patches or temporary workarounds/mitigations for operating systems (e.g. Windows) within a timely manner (48 Hours for internet reachable applications). Do not use versions of an Operating system which are old and/or not receiving security fixes | Unpatched operating systems can be exploited by attackers and in the worst case enable an attacker to completely takeover an application, access all information contained within and use this access to access connected systems |
| Multi-factor authentication | A method of validating the user logging in by using additional checks separate to a password such as a code from an SMS/Mobile application or fingerprint scan | Makes it significantly more difficult for adversaries to use stolen user credentials to facilitate further malicious activities |
| Regular backups | Regular backups of important new or changed data, software and configuration settings, stored disconnected and retained for at least three months. Test the restoration process when the backup capability is initially implemented, annually and whenever IT infrastructure changes. | To ensure information can be accessed following a cyber-security incident e.g. a ransomware incident). |
For more information, visit the Essential Eight explained page.