Data Transfers

ISM-0660

Data transfer logs for SECRET and TOP SECRET systems are fully audited at least monthly.

Topic
Monitoring data import and export
Applicable to
Secret, Top Secret

History

Priority
must
Dec 2021
Data transfer logs for SECRET and TOP SECRET systems are fully audited at least monthly.
Miscellaneous changes were made to rationale and security controls throughout the publication. This included:
• A review from the Using the Information Security Manual chapter through to the Guidelines for Media chapter.
• Security controls suitable for all audiences have been identified with the ‘All’ applicability marking while additional security controls suitable for just government audiences have been identified with the O, P, S and TS applicability markings.
• Security controls suitable for specific classifications have been amended to include their classification(s) in the wording of the security controls to reduce the reliance on applicability markings to confer suitability.
• Tables in security controls have been converted into prose to allow for inclusion in the SSP annex template and the XML list of security controls.
• The use of ‘official’ and ‘highly classified’ terminology has been replaced with specific classifications to remove ambiguity.
• Security controls relating to high assurance ICT equipment have had their applicability narrowed to ‘S, TS’ reflecting that they are intended for the protection of SECRET and TOP SECRET systems and data.
Mar 2022
Data transfer logs for SECRET and TOP SECRET systems are fully verified at least monthly.
Due to the confusing use of audit terminology, references to ‘audited’ have been changed to ‘verified’. For example, an ICT equipment register is verified (rather than audited) on a regular basis. This will allow security personnel, or other suitable parties, to conduct such activities rather than having to rely on the use of an organisation’s internal auditors.
Aug 2020
Data transfer logs are fully audited at least monthly.
Security controls 1294 and 0660 were amended to capture both data imports and data exports. As such, security control 1295 and 0673 were removed.
Jul 2020
When importing data to a system, data transfer logs are fully audited at least monthly.
2015
When importing data to each security domain, including through a gateway, agencies mustaudit the complete data transfer logs at least monthly.
2010
When importing data to a system through gateways, full or partial audits of the event logs must beperformed at least monthly.