Professional Documents
Culture Documents
www.asio.gov.au
Release history
Handling instructions
This document is not classified. It is approved for public release: distribution unlimited.
Disclaimer
The information provided in this document is intended to be used as general guidance
material only and is not provided for any other purpose. In particular, it is not intended to
provide comprehensive advice on its subject matter or in relation to any particular product,
and should not be relied on as providing such advice. Organisations or individuals using or
relying on the information contained in this document are deemed to do so in conjunction with
their own judgement and assessment of the information in light of their particular needs and
circumstances. The Australian Security Intelligence Organisation has taken every care in the
preparation of this document to ensure the information is accurate at the time of publication.
The Commonwealth, its officers, employees and agents exclude all liability for loss or damage
(including in negligence) suffered or incurred by any precinct or individual as a result of their
use of or reliance on the information contained in this document.
© Commonwealth of Australia 2020
FOI statement
This document, and any information, extract or summary from this document, is exempt under
the Freedom of Information Act 1982.
Contents
Introduction 1
Recovery and resumption 1
Reassess risks 2
People and personnel security 4
Mitigations to reduce the insider threat 5
Indicators of espionage, foreign interference or sabotage 5
Facility inspections 6
Security systems and hardware 7
Cyber security 8
Reporting cyber security incidents 10
Returning to work 10
Deterrence communications 11
Supply chain protective security 12
Destruction of information and assets 13
Visitor management 13
Lessons learned 13
Conclusion 14
References and further reading 15
This guide supplements the advice provided in other Australian Security Intelligence
Organisation (ASIO) security manager guides and handbooks available through ASIO’s
Outreach website—www.outreach.asio.gov.au.
When assessing the impact of the crisis on an organisation and its security, organisations
should assign priorities to their business processes and create a schedule for the scaled
resumption of services. When setting priorities, organisations should assess the criticality of
each process, and the interdependencies of each process with other operations, processes
and requirements. Once the critical processes have resumed, a timeline for resuming the
remaining processes can be implemented. The security function should return to operation
where it supports an organisation to achieve its business objectives. If this is not possible,
the security function should communicate with organisation stakeholders that, while there
may still be changes and challenges in the workplace, operations are headed in a direction
that will eventually facilitate business objectives.
Physical assets are tangible items that are valuable to an entity and require protection;
these can be described as follows.
▶▶ Valuable—the asset’s monetary value.
▶▶ Sensitive—the asset is sensitive in its own right or is sensitive because of the
confidentiality requirements of the information held on the asset—for example,
information and communications technology equipment.
▶▶ Important—the asset’s integrity or availability is significant to an organisation’s
operations.
▶▶ Attractive—the asset is not necessarily valuable but is desired—for example, an iPad.
▶▶ Significant—the asset has cultural or national significance, regardless of monetary
value.
▶▶ Dangerous—the asset is likely to inflict harm—for example, firearms and explosives.
Around the world, different regions have different timelines for easing COVID-19 restrictions,
which provides an opportunity to learn from the experiences of other organisations.
We recommend that security teams investigate the experiences of similar organisations
overseas. This could be achieved by conducting open-source research, communicating
with professional networks or liaising with partner organisations to answer the following
questions.
▶▶ How have they responded?
▶▶ Are they still responding to the pandemic or moving to recovery?
▶▶ How has their threat environment changed?
▶▶ How have their risk mitigations changed?
Organisations need to be aware of, and to understand, the changing threat environment.
For example, in the United Kingdom, communications infrastructure was vandalised and
workers harassed, following an online misinformation campaign that alleged 5G technology
is linked to COVID-19. Organisations should consider how such a threat could affect their
operations, especially if local communications infrastructure could be a single point of
failure.
Facility inspections
Access to some facilities may have been unmonitored during the restrictions period,
allowing adversaries to bypass the security measures that are usually in place. Security staff
should assess existing security measures at facilities that have either put their operations on
hold, or been operating with skeleton staff:
▶▶ at the site perimeter;
▶▶ across the intervening space between the perimeter and the building façade;
▶▶ from the perimeter into public access, reception and delivery areas; and
▶▶ in controlled access areas.
2 Refer to ANZCTC’s publication Improvised explosive device (IED) guidelines for places of mass gathering for further
information.
Key questions to ask about the current status of an organisation’s security systems are as
follows.
▶▶ Functionality:
Does the system have any new functional requirements?
Is the system able to perform the existing and/or new functional requirements?
Is the system still operating as intended?
▶▶ Maintenance
Has the system been tested for functionality recently?
Has the preventive maintenance schedule been completed in accordance with
manufacturer specifications?
Is a comprehensive maintenance schedule from a new provider required?
▶▶ Redundancy
Has the stock of replacement equipment (to enable quick replacement of faulty
items) been exhausted?
How long will it take to renew the stock of replacement equipment from the current
supply chain?
Does the system have redundancy measures (for example, backup power)?
Are alternative measures in place if the system becomes inoperable?
Cyber security
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has developed
prioritised mitigation strategies in the Strategies to mitigate cyber security incidents to help
security professionals in all organisations mitigate the threat of security incidents
caused by various cyber actors. This guidance addresses targeted cyber intrusions
(that is, those executed by advanced persistent threats such as foreign intelligence services),
ransomware, external adversaries with destructive intent, malicious insiders, ‘business
email compromise’, and industrial control systems. Refer to https://www.cyber.gov.au/
publications/strategies-to-mitigate-cyber-security-incidents.
We recommend that organisations review their systems against the Strategies to mitigate
cyber security incidents, to assess whether their system security risk has changed because of
pandemic crisis responses.
One of the biggest cyber threats to emerge during the pandemic is that of hostile actors
using online phishing techniques to exploit concerns about COVID-19. By educating staff to
follow these simple steps provided by the ACSC, you can help to protect your organisation
from phishing emails.
▶▶ Before opening an email, consider who is sending it to you and what they’re asking you
to do. If you’re unsure, call the organisation you suspect the suspicious message is from,
using contact details from a verified website or other trusted source.
▶▶ Do not open attachments or click on links in unsolicited emails or messages.
▶▶ Do not provide personal information to unverified sources, and never provide remote
access to your computer.
▶▶ Remember that reputable organisations locally and overseas—including banks,
government departments, Amazon, PayPal, Google, Apple and Facebook—will not call or
email to verify or update your personal information.
▶▶ Use email, SMS or social media providers that offer spam and message scanning.
▶▶ Use two-factor authentication (2FA) on all essential services such as email, bank and
social media accounts, as this way of ‘double-checking’ identity is stronger than a simple
password. 2FA requires you to provide two things—your password and something else
(such as a code sent to your mobile device or your fingerprint)—before you, or anyone
pretending to be you, can access your account.
Cyber security incidents to be reported include suspicious system and network activities
such as:
▶▶ domain administrator accounts being locked out due to failed authentication attempts;
▶▶ unusual authentication events on remote access systems;
▶▶ service accounts communicating with internet-based infrastructure;
▶▶ compromise of sensitive and security-classified information;
▶▶ unauthorised access or attempts to access a system;
▶▶ emails with suspicious attachments or links;
▶▶ denial-of-service attacks; and
▶▶ suspicion that electronic devices have been tampered with.
An organisation may have legal obligations under the Notifiable Data Breaches scheme if it
experiences a data breach likely to result in serious harm to any individuals whose personal
information is involved in the breach. For further advice, refer to the Office of the Australian
Information Commissioner website at https://oiac.gov.au.
Returning to work
As restrictions begin to be lifted and business starts to increase beyond baseline operations,
people will inevitably return to work, and business outputs will start to return to normal.
As an organisation transitions staff from working-at-home arrangements back to office-based
or facility-focused work, security teams should consider the following points.
▶▶ Plan ahead, to ensure the supply of equipment or services critical to your organisation’s
operation is not interrupted, given that many organisations will be taking similar steps at
the same time as restrictions are relaxed.
Deterrence communications
An organisation can review, promote and communicate its security measures using
deterrence communications. These communications can discourage an adversary from
targeting a location if they perceive it is too difficult to attack. Deterrence communications
aim to:
▶▶ deny access to information needed to plan an attack; and
▶▶ create a perception that an attack will fail because effective security measures are in place.
We recommend that organisations audit the open-source information they are producing
to ensure it isn’t creating or exposing new security vulnerabilities—therefore denying an
adversary access to the information they require.
Supply chain protection does not stop with securing a facility through gates and locks—
it extends to the protection of products and people involved in supply chain activities,
as well as the internal and external information flows across the supply chain. Supply chain
defence is not only a matter of ensuring the safety of these assets, but also of preventing
theft, damage and unintentional intrusions that could disrupt supply chain operations.
If you have engaged a provider at short notice to respond to the crisis, make sure
appropriate background and security checks have been completed. We recommend you
revisit your supply chain protective security by:
▶▶ updating the supply chain security risk assessment;
▶▶ identifying what needs to be protected and whether it has changed;
▶▶ assessing existing supply chain security measures and whether they have decreased or
increased;
▶▶ improving existing security measures;
▶▶ re-engaging with your organisation’s service providers;
▶▶ ensuring previously mutually agreeable solutions still work for both parties;
▶▶ providing support;
▶▶ maintaining security measures;
▶▶ maintaining contact; and
▶▶ building relationships.
Further advice can be found in ASIO’s security managers guide Supply chain security,
available on ASIO’s Outreach website—www.outreach.asio.gov.au.
If there is a large amount of material for destruction, consider a secure temporary storage
space, additional outsourced destruction and sanitisation services, or a staged approach to
information sanitisation and destruction.
Visitor management
Visitor management processes and systems can be adapted to aid health and safety best
practices and to reduce exposure to employees and other visitors. For example, visitors could
be security screened to ensure they meet entry requirements, and entry refused if they have:
▶▶ travelled out of the country in the past 14 days;
▶▶ experienced symptoms such as cough, shortness of breath or fever; and/or
▶▶ recently had contact with any person(s) who is confirmed as, or suspected of,
having COVID-19.
Screening should start before a visitor arrives at the facility so that, if they do not meet the
criteria to enter the building, an organisation can refuse entry.
Lessons learned
To enhance organisational resilience and improve policies and procedures, security
managers should consider reviewing their organisation’s pandemic response plan, crisis
management plan, business continuity plan and working-from-home policy, where relevant.
The results could be incorporated into an ‘After action report’ for your organisation’s senior
leadership. Topics could include:
▶▶ what worked well, and why;
▶▶ what didn’t work, and why;
Identify areas where the security function could be better prepared or add significant
value to a business’s operations, such as providing a backup ability to remotely access and
monitor security systems during disruptive events.
Conclusion
In the face of the global COVID-19 pandemic, Australian organisations have had to manage
a dispersed workforce with staff working from home. The information, assets and personnel
of organisations were suddenly exposed to a less controlled and frequently changing
environment. As organisations return to their facilities, the uncertainty of the new operating
environment will have an impact on their business objectives.
What will endure—and potentially develop in unexpected ways—is the volatile, uncertain,
complex and ambiguous environment caused by the crisis.
Australian Cyber Security Centre, Cyber security is essential when preparing for COVID-19,
March 2020, https://www.cyber.gov.au/news/cyber-security-essential-when-preparing-
covid-19
Australian Cyber Security Centre, Threat update: COVID-19 malicious cyber activity, 20 April 2020,
https://www.cyber.gov.au/threats/threat-update-covid-19-malicious-cyber-activity
Australian Cyber Security Centre, COVID-19: cyber security tips when working from home,
https://www.cyber.gov.au/advice/covid-19-cyber-security-tips-when-working-home
Australian Security Intelligence Organisation, Security managers guide, Supply chain security,
2017, https://www.outreach.asio.gov.au
United Kingdom Centre for the Protection of National Infrastructure, Personnel security in
remote working: a good practice guide, February 2012, https://www.cpni.gov.uk/system/
files/documents/af/05/personnel-security-in-remote-working-a-good-practice-guide.pdf
United Kingdom National Cyber Security Centre, Home working: preparing your organisation
and staff, 17 March 2020, https://www.ncsc.gov.uk/guidance/home-working
Williams, Don, ‘Why your security risk review is out of date’, Security Solutions, 30 April 2020,
https://www.securitysolutionsmedia.com/2020/04/30/why-your-security-risk-review-is-out-of-date/