Defence Industry Security Program (DISP) maintains an active assurance and uplift program. The assurance program ensures DISP members meet and maintain their security responsibilities commensurate to their DISP membership requirements.
DISP members are required to maintain their membership as outlined under Defence Security Principles Framework (DSPF) Principle 16 Control 16.1, as well as the broader security requirements of the DSPF and Protective Security Policy Framework (PSPF). DISP members are also required to engage with assurance and uplift activities conducted by DISP and implement recommendations within mutually agreed timeframes.
Defence Industry Security Branch (DISB) assurance activities support members to:
- Understand and meet DISP membership obligations, and broader Defence security requirements.
- Review security practices within their organisation.
- Make recommendations to uplift and improve their security posture.
- Identify improvements in their security control framework.
- Access security advice and information, including on cyber security.
- Access exclusive information and analysis.
- Better understand their security risks and vulnerabilities.
- Improve security tools and processes.
- Give confidence to Defence and other Australian and foreign Government entities when supplying services.
DISP aims to collaborate with members in the assurance process to continually review and improve security practices across Defence industry in order to safeguard Australia’s interests.
DISP members are expected to proactively engage with assurance activities with the objective of reviewing and improving security practices across the DISP membership base. The implementation of recommendations within mutually agreed timeframes is a requirement under DISP membership, and will be monitored and supported by the DISB audit team.
DISB assurance activities start at the point of application and continue throughout membership.
Entry Level Assessment
Entry Level Assessment (ELA) is a security governance assessment conducted as part of the DISP application process to ensure an entity meets the requirements of the DISP membership levels requested.
The ELA process includes a review of security documentation, a phone interview with security staff and the completion of the Cyber Security Questionnaire.
Any identified gaps must be addressed prior to DISP membership being granted.
Ongoing Suitability Assessment
An Ongoing Suitability Assessment (OSA) is a desktop audit to ensure that members are continuing to meet Defence security obligations. OSA selection is an outcome of an internal risk-based framework. An OSA will assess DISP member’s compliance with a selection of security requirements across all 4 DISP security domains.
The OSA process includes a review of security documentation, a phone interview with security staff and the completion of a cyber questionnaire. This activity assists DISP members to review, and where needed, improve their security policies, procedures, and risk management.
Deep dive audit
The DISP approach to DDAs is one of collaboration.
The objective of a deep dive audit (DDA) is to ascertain the extent of DISP members’ compliance with requirements of DSPF control 16.1 through a detailed assessment (including site visits) of the adequacy of Defence security processes and controls in place, and if needed help to uplift an entities security posture. DISP members are selected for inclusion in a DDA based on an internal risk-based selection framework.
All identified security uplift activities or opportunities for improvement are discussed, and a draft report for review and comment is provided prior to being finalised. The implementation of all DDA recommendations is monitored by the DISP audit team.
What to expect during an Audit Fact Sheet (PDF, 1.02 MB)
DISP Audit Fact Sheet (PDF, 172.92 KB)
Annual Security Report
An Annual Security Report (ASR) is a self-attestation, completed by DISP members, of compliance with security obligations under DSPF which is due on the anniversary of the DISP membership certificate. An ASR is required to be tabled with the entity’s Board or Executive (or other equivalent Governance forum) prior to submission to DISP, to ensure that appropriate Executive oversight and action is taken in response to any security issues identified.
DISP members may be required to provide additional information to DISP regarding the ASR responses provided.
Submit the ASR on the DISP Member Portal.
Cyber Security Questionnaire
Given the dynamic threat landscape, investing in cyber security standards is paramount.
As a DISP member, the Defence-related information, working on, supplying, storing or maintaining makes the organisation a target for cyber threat actors and cyber security incidents. It is important to maintain an appropriate level of cyber security standards and maturity to understand, prevent and manage cyber security risks.
During the DISP application stage, organisation’s cyber security posture and corporate network used to correspond with Defence is assessed. This includes identifying risks and gaps. After the cyber security assessment, guidance to improve cyber security posture is provided.
Throughout the membership life cycle, DISP requires members to complete the Cyber Security Questionnaire as part of ongoing assurance activities.
The DISP cyber security technical standards assess entities against ASD’s ‘Top 4’ of the Essential 8 Mitigation Strategies (at Maturity Level 1) including:
- Application control
- Patch applications
- Restrict administrative privileges
- Patch operating systems.
Future Cyber Questionnaire
From Q3 2024, new and existing DISP members will be assessed against the uplifted DISP Cyber Security Standards including the full Essential 8 at Maturity Level 2.
The Essential 8 Mitigation Strategies include:
- Application control
- Patch applications
- Restrict administrative privileges
- Patch operating systems
- Configure Microsoft Office macro settings
- User application hardening
- Multi-factor authentication
- Regular backups.
To meet DISP membership requirements, an entity must also comply with the Australian Government Information Security Manual.
To complete the Cyber Security Questionnaire, provide comprehensive responses and evidence to the questions in the DISP Essential 8 Cyber Security Questionnaire
It is recommended the CSQ be completed by an authorised representative who has sufficient knowledge of organisation’s corporate IT infrastructure. Incomplete answers or insufficient information will delay the application.
Within the Cyber Security Questionnaire, the ‘Tool Tips’ feature relevant information on control implementation and acceptable evidence (in accordance with ASD’s guidance).
DISP Essential 8 Cyber Standards Uplift Program
As part of the DISP Essential 8 Cyber Standards Uplift Program, entities are required to answer questions about their implementation of the full Essential 8 at Maturity Level 2 including:
- Application control
- Patching applications
- Patch operating systems
- Restrict administrative privileges
- Restrict Microsoft Office macros
- User application hardening
- Multi-factor authentication
- Regular backups.
If organisation complies with other international security standards, use the documentation as evidence to demonstrate how the organisation in part meets the Essential 8.
These standards include:
- Information Security Management: ISO/IEC 27001:2022
- Protecting Controlled Unclassified Information in Non-Federal Systems and Organisations (US ITAR requirement): NIST SP 800- 171
- Cyber security for Defence: Def Stan 5-138).
After organisation completes the Cyber Security Questionnaire, a point-in-time cyber security assessment will be undertaken. If organisation requires cyber security uplift to meet the Essential 8 Maturity Level 2 requirements, the DISP Essential 8 Cyber Standards Uplift Program will provide additional support. The DISP Cyber Team will contact the organisation if cyber security uplift is required.
Cyber Security rating scale
Based on the responses to the Cyber Security Questionnaire, the DISP will assess the overall level of cyber hygiene using the following ratings:
- Embedded:
All DSPF membership requirements are implemented, effectively integrated and meeting or exceeding security outcomes. The Entity’s implementation of better-practice guidance drives high performance. - Managing:
The majority of DSPF membership requirements are implemented, integrated into business practices and effectively disseminated across the entity. Entity meets most security outcomes. - Developing:
Some DSPF membership requirements are implemented, broadly managed and understood across the entity. Entity is meeting some security outcomes. - Ad hoc:
Few or no DSPF membership requirements are implemented, and they are not well understood across the entity. Security outcomes are not being achieved in some areas.
Understanding Essential 8
| Mitigation Strategy | What | Why |
|---|---|---|
| Application control | Checking programs against a pre-defined approved list and blocking all programs not on this list | Unapproved programs including malware are unable to start and preventing attackers from running programs which enable them to gain access or steal data |
| Patch applications | Apply security fixes/patches or mitigations (temporary workarounds) for programs within a timely manner (48 Hours for internet reachable applications). Do not use applications which are out-of-support and do not receive security fixes | Unpatched applications can be exploited by attackers and in the worst case enable an attacker to completely takeover an application, access all information contained within and use this access to access connected systems |
| Configure MS Office macro settings | Only allow Office macros (automated commands) where there is a business requirement and restrict the type of commands a macro can execute. Also monitor usage of Macros. | Macros can be used to run automated malicious commands that could let an attacker download and install malware |
| User application hardening | Configure key programs (web browsers, office, PDF software, etc.) to apply settings that will make it more difficult for an attacker to successfully run commands to install malware | Default settings on key programs like web browsers may not be the most secure configuration. Making changes will help reduce the ability of a compromised/malicious website from successfully downloading and installing malware. |
| Restrict administrative privileges | Limit how accounts with the ability to administer and alter key system and security settings can be accessed and used. | Administrator accounts are ‘the keys to the kingdom’ and so controlling their use will make it more difficult for an attacker to identify and successfully gain access to one of these accounts which would give them significant control over systems |
| Patch operating systems | Apply security fixes/patches or temporary workarounds/mitigations for operating systems (e.g. Windows) within a timely manner (48 Hours for internet reachable applications). Do not use versions of an Operating system which are old and/or not receiving security fixes | Unpatched operating systems can be exploited by attackers and in the worst case enable an attacker to completely takeover an application, access all information contained within and use this access to access connected systems |
| Multi-factor authentication | A method of validating the user logging in by using additional checks separate to a password such as a code from an SMS/Mobile application or fingerprint scan | Makes it significantly more difficult for adversaries to use stolen user credentials to facilitate further malicious activities |
| Regular backups | Regular backups of important new or changed data, software and configuration settings, stored disconnected and retained for at least three months. Test the restoration process when the backup capability is initially implemented, annually and whenever IT infrastructure changes. | To ensure information can be accessed following a cyber-security incident e.g. a ransomware incident). |
For more information, visit the Essential 8 Explainer.