Public servants still need to take care about what they share, but an update to key security advice for the Australian government has seen the removal of a recommendation that they avoid posting even the most banal details about their lives on websites such as Facebook and Twitter.
The Australian Signals Directorate, which provides security guidance for federal government departments and agencies, has updated its controls manual (PDF) — one of the three components of the Information Security Manual maintained by the ASD.
(The Department of Defence indicated to Computerworld earlier this year that consultation over the 2017 edition of the ISM was extended beyond the regular timeframe, pushing back the release of a new edition.)
Control 0924 stated that personnel “should” (as opposed to “must”) avoid posting personal information — including past and present employment details, personal details, schools/institutions, clubs/hobbies, educational qualifications, current work duties and work contact details — on websites.
The security control has been removed as part of the new edition, which also includes updates to 121 controls.
Other controls still in the ISM advise agencies to inform personnel of security risks relating to posting personal information on websites and call for public servants to use privacy settings available for online services.
The controls manual notes: “Personnel need to be aware that any personal information they post on websites could be used to develop a detailed profile of their lifestyle and hobbies in order to attempt to build a trust relationship with them or others. this relationship could then be used to attempt to elicit sensitive or classified information from them or implant malicious software on systems by having them, for example, open emails or visit websites with malicious content.
“Encouraging personnel to use the privacy settings on websites to restrict who can view their information and not allow public access will minimise who can view their interactions on websites. The privacy settings should be regularly reviewed for changes to the website policy and ensure the settings maintain privacy.”
There are nine new security controls:
• 1469: Unique domain accounts with local administrative privileges, but without domain administrative privileges, should be used for workstation and server management.
• 1470: Any unrequired functionality in applications should be disabled.
• 1471: When implementing application whitelisting using publisher certificates, both publisher names and product names must be used for application whitelisting rules.
• 1472: Security vulnerabilities in operating systems, applications, drivers and hardware devices assessed as moderate or low risk must be patched or mitigated within one month of the security vulnerability being identified by vendors, independent 3rd parties, system owners or users.
• 1473: Privileged users must use a dedicated workstation when performing privileged tasks.
• 1474: Agencies must only allow management traffic to originate from network zones that are used to administer systems and applications.
Controls 1475, 1476, and 1477, all of which are new, recommend increased key lengths for use with DH key exchange, DSA digital signatures, and RSA encryption.
Last year’s update to the ISM incorporated US CNSS recommendations related to encryption algorithms and key length, in an effort to prepare for the threat posed by quantum computers to conventional encryption.
The ASD recently released new standards for passwords use at government agencies, seeking to balance security with usability requirements.
Earlier this year a parliamentary inquiry recommended the agency’s ‘Essential Eight’ strategies to mitigate cyber security incidents should be mandatory for federal government departments and agencies.