During the assessment process, an entity’s cyber security hygiene may be found to be Ad-Hoc or Developing, at this point in time the task status should be changed to Action Plan Requested once the assessment has been sent to the entity.
If you’re unsure of the status, review the entity records on Objective and ensure that the assessment was sent to the entity, requesting that they complete Part 2 – Action Plan.
Action Plan Purpose
The purpose of requesting a response to Part 2 of the assessment known as the “Action Plan” is to afford DISP applicants an opportunity to improve (“Uplift”) their cyber security hygiene.
The intent is for the uplift process to be a supportive one in which we offer general advice and guidance on how an entity may improve its cyber security hygiene.
Need to know:
DISO Cyber is not to provide software or vendor recommendations in relation to meeting our cyber security hygiene standards; Defence cannot be seen to endorse software solutions or vendors.
When an entity identifies that they’re using software or services, we can provide general guidance around their platforms.
Acceptable Example:
An entity is using Microsoft 365 business premium, however, they have not implemented Microsoft Endpoint Manager for the patching of applications or operating systems. It is acceptable to advise them that the platform they’re using supports this functionality and to point them toward it publicly.
Required Action
It is the responsibility of the applicant entity to complete and return Part 2 of their Cyber Assessment to DISO.Cyber@defence.gov.au. The entity may, at any time, request general advice or a teleconference to discuss their circumstances.