The Australian Cyber Security Centre has inserted new controls into the information security manual (ISM) that demand checks on the “integrity” and “authenticity” of IT purchases, months after US agencies were found to have bought and installed counterfeit networking gear.
An update to the ISM [pdf] on Thursday last week introduced three new controls, numbered ISM-1790, ISM-1791 and ISM-1792.
The controls ask the buyers of IT – “applications, ICT equipment and services” – to verify the integrity of what they’ve bought “as part of acceptance of products and services”, and then to maintain integrity.
They also seek action to determine the “authenticity” of products and services at acceptance.
The ISM offers some guidance on the type of checks that could be used to comply with the controls.
“Applications may benefit from delivery via encrypted communication channels while ICT equipment may benefit from tracking and tamper-evident packaging,” it advises.
“In doing so, such measures are only beneficial if they are assessed as part of acceptance of products and services.
“In all cases, suppliers should be consulted on how best…
