Victorian Protective Data Security Standard 17 (ICT Lifecycle) and ASD TOP 4

The VPDSS control reference for Standard 17 (ICT Lifecycle) states that “an organisation should align its ICT security controls with the Information Security Manual (ISM) published by the Australian Signals Directorate (ASD)”.

To help organisations prioritise the application of risk-based ICT controls, CPDP encourages agencies and bodies to consider the ASD strategies to mitigate targeted cyber intrusions. These 35 strategies set out key technical measures designed to prevent targeted cyber intrusion based on intrusion observations from the ASD Cyber Security Operations Centre (CSOC).

The ASD CSOC estimates that at least 85% of the cyber intrusion techniques could be prevented by implementing the Top 4 mitigation strategies. As a package, the Top 4 mitigation strategies are highly effective in helping achieve a stronger ICT system.

These four mitigation strategies are more commonly referred to as the ASD TOP 4:

  1. Application whitelisting to ensure that only software that is specified and authorised can run on a system;
  2. Patching third party applications;Patching operating systems; and
  3. Restricting administrative privileges.
  4. Implementing the top four strategies helps to secure an ICT system by preventing cyber intrusions and making your network more resilient.

Organisations should continue to conduct risk assessments and implement other mitigation strategies as required to protect their ICT systems.

ASD TOP 4 Awareness Video - ‘Catch, Patch, Match’

The evidence to date clearly indicates the ‘Catch, Patch, Match’ approach is the best way to mitigate against cyber intrusions, protect your most valuable information and enhance the resilience of your networks. To help explain this approach, ASD has produced a short video, which can be accessed here:

Catch malware by application whitelisting;

Patch software and operating systems; and

Match administrator rights to the right people.

Additional supporting material public by ASD -

ASD have also produced a range of supporting material to help organisations implement the strategies to mitigate targeted cyber intrusions.

This material can be accessed here -