Cyber Security Questionnaire (CSQ) Overview:

The purpose of the Cyber Security Questionnaire is to ensure that all DISP Applicants have an acceptable level of Cyber Security Hygiene to correspond with Defence and handle Defence Information up to OFFICIAL and OFFICIAL:Sensitive.

Understanding the Cyber Security Questionnaire by section will provide better insight to the entity environment.

The Cyber Security Questionnaire is broken up into Parts. Which during this lesson will go through each part.

The Latest version of the Cyber Security Questionnaire can be found online here: https://ext.defence.gov.au/security/industry-resources 

Note: At this time, the CSQ is undergoing review, and whilst the subject matter will remain predominately the same – there are some minor errors and issues with the current questionnaire. This advice is valid as of 15 August 2022.

Part A: Information and cybersecurity

This section on cyber security provides you with an understanding of the organisation and the systems they use.

Company Name – Who the entity company name

ITSA/CISO/ISO/SO – Who are their IT Security advisor, Chief Information Security Officer, and Security Officer {where applicable} for the company.

Accreditation Standard – List of which accreditation standard is being met i.e. Essential Eight, ISO, NIST, UK Def Standard. Note: if the entity doesn’t place one down, it is automatically understood that they are working against Essential Eight.

System/Network name – Name of all the systems and networks that are used to correspond with defence.

System Description – Provide a brief description of the system and networks that are used to correspond with defence up to and including Official: Sensitive material.

Protective Markings in use – List the protective markings that your organisation observes or will observe when corresponding and working with defence. 

Supply Chain – Describe any engagements your organisation provides in the delivery of goods and/or services to defence Major Capabilities. Specifically: Shipbuilding, Future submarines, Joint Strike Fighter, Land Battle Management, etc.

Part B: Information and cybersecurity

Correspondence with Defence and Cloud – How does your organisation correspond with Defence or handle Defence material on your corporate network?
Please include relevant details on how your organisation meets Entry Level DISP requirements.

When working with Defence, does your organisation primarily use
DREAMS, DSN or Higher Classification On-Premises Defence ICT
systems? 

Does your organisation use application control software and/or Mobile
Application Management (MAM)? (e.g.: Fortinet/Intune or similar)
Please provide details:

Does your organisation use any Software as a Service (SaaS) products?
(e.g.: Microsoft 365, OneDrive, Dropbox, Google G-Suite)
If Yes, please state license categories held

Does your organisation implement Mobile Device Management (MDM)?
(e.g.: Intune or similar) Please provide details:

Does your organisation use any Multi-Factor Authentication (MFA)? (e.g.: Mobile Application, Token, SMS, or email) If Yes, please provide details:

How many employees?
How many IT administrators?
How many Privileged users/ require elevated credentials within
your organisation?

Application controls: application controls are an effective mechanism that prevents malicious code from executing, but also ensures that only approved applications can be installed. (Please state Yes, No
or N/A. Provide commentary where possible).

For organisations with a managed ICT system, restricting the installation of applications to administrators is not considered an Application Control.

• Q1.1 An application control solution is implemented on all workstations to restrict the execution of executables to an approved set.
• Q1.2 An application control solution is implemented on all servers to restrict the execution of executables to an approved set.
  If your organisation uses M365, G-Suite or a similar service as your corporate network service provider and has no server infrastructure (e.g. on premise or cloud VMs etc.), please specify ‘M365/G-Suite/other service name’.
• Q1.3 Microsoft’s latest recommended block rules are implemented to prevent application control bypasses.
  Only tick this box if the above controls have been addressed.
  Note: This control is not a default when using Microsoft products.
• Q1.4 We do not have application controls. (Please provide reason in the ‘Comments’ section below)

Patch applications: patching applications across networks and systems in a timely manner lowers the
risk of vulnerabilities within software being exploited. (Tick all that apply)

• Q2.1 Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within one month of the security vulnerabilities being identified by vendors, independent third parties, system managers or users.
• Q2.2 An automated mechanism has been implemented to confirm and record that deployed applications and driver patches / updates have been installed and applied successfully. This is an independent solution that checks for currency across all applications on your systems.
• Q2.3 Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions. If yes, please explain why it is necessary.
• Q2.4 Automatic updates are turned on for all applications.
• Q2.5 No patching regime exists.
• Comment Section – Provide reason in the ‘Comments’ section about above questions

Patch operating systems: keeping operating systems and firmware up to date with the latest patches in a timely manner lowers the risk of known vulnerabilities being exploited. (Tick all that apply)

• Q3.1 Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 1 month of the security vulnerabilities being identified by vendors, independent third parties, system managers or users.
• Q3.2 An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place. This is an independent solution that checks for currency across all applications on your systems.
• Q3.3 Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions.
• Q3.4 Automatic updates are turned on for all operating systems.
• Q3.5 No patching regime exists. 
• Comment Section – Provide reason in the ‘Comments’ section about above questions.

Restrict administrative privileges: only allowing privileged access to trusted and relevant persons in your organisation can lower the risk of insider threats and malicious threat actors that gain access to such accounts. (Tick all that apply)

• Q4.1 Privileged access to systems, applications and data repositories is validated when first requested.
• Q4.2 Policy security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services.
• Q4.3 Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties.
• Q4.4 All users in the environment have local admin access to their workstations
• Q4.5 All users in the environment have domain admin access.
• Q4.6 There are no user access controls implemented.
• Comment Section – Provide reason in the ‘Comments’ section about above questions.

Governance, Personnel Security, Physical security, and Incident responses
Questions within this area on CSQ address some broader security controls that integrate with information and cybersecurity.

Authorisation – As the (system owner/s) for (insert system/s name), I confirm that the information contained within this document
accurately reflects the implementation of the system at the date of signature. Note: This is important that the form has been signed by the correct position within organisation.