Gateways undergo a security assessment by an IRAP assessor at least every 24 months.
Topic
Assessment of gateways
Applicable to
all
History
Priority
should
Jun 2022
Gateways undergo a security assessment by an IRAP assessor at least every 24 months.
The ISM previously recommended that ‘commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Infosec Registered Assessors Program (IRAP) assessors at least every 24 months’. This recommendation was reintroduced and amended to ‘gateways undergo a security assessment by an IRAP assessor at least every 24 months’ to support the upcoming release of new gateway security guidance by the ACSC. Note, the scope of this recommendation relates to all gateways, and not just outsourced gateways services.
Dec 2021
Removed
As per the joint statement between the Digital Transformation Agency and the Australian Signals Directorate (ASD) on the future of Secure Internet Gateways (SIGs), ASD will no longer be conducting re-certification activities for SIGs. This includes ASD staff members conducting joint security assessments with Infosec Registered Assessor Program assessors as part of re-certification activities. Note, currently certified SIGs will remain certified until 1 July 2022.
Jul 2020
Commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program (IRAP) assessors at least every 24 months.
Security control 0100 was amended to clarify that the period between security assessments shouldn’t be greater than 24 months, as opposed to two years which could be interpreted as every 36 months if timed correctly.
Jun 2020
Commercial and government gateway services selected by the ACSC undergo a joint security assessment by ACSC and Information Security Registered Assessors Program assessors at least every two years.
2017
Commercial or government-provided gateway services intended for use by multiple agenciesmust undergo an Information Security Registered Assessor Program (IRAP) securityassessment and be awarded certification by ASD at least every two years.
Control Text Changed. No public explaination.
2015
Commercial or government–provided gateway services intended for use by multiple agenciesmust undergo an Information Security Registered Assessor Program Audit and be awardedcertification by ASD annually.
2010
Agencies should ensure commercial providers of gateway services have undergone an audit by an infosecregistered assessor and received certification from DSD.
2008
Agencies should ensure that any companies contracted to provide gateway services have received a gateway certification from DSD or an infosec-registered assessor.