A significant revamp of a key cyber security document is designed to provide government agencies with strategic guidance on protecting their data.
The Australian Cyber Security Centre (ACSC), which is part of the Australian Signals Directorate (ASD), has released an updated version of the government’s Information Security Manual (ISM). The ISM now includes a series of “cyber security principles” grouped into four key activities:
- Govern: Identifying and managing security risks.
- Protect: Implementing security controls to reduce security risks.
- Detect: Detecting and understanding cyber security events.
- Respond: Responding to and recovering from cyber security incidents.
The document includes a framework to help organisations assess their maturity across the four categories.
The updated ISM is the culmination of a 12-month effort to shift the document “from a compliance-based information security manual to a principles-based cyber security framework that organisations can apply, using their corporate risk management framework, to protect their systems and information from cyber threats,” a statement released by the ACSC said.
“With the release of these updated principles, government, industry and academia are strongly encouraged to consider the strategic guidance they provide when designing and implementing new systems and services.”
The ISM now receives monthly updates; previously it was updated on an annual basis.
The new edition of the ISM also updates a range of security controls. Many of the changes are relatively minor (using “data repositories” in preference to “information”), but the control relating to temporary access to systems has been tightened, and the recommendations relating to management practices for passwords used as the sole method of authentication for a system have also undergone some small changes.
The ISM is available online.
In July, the ACSC released an update to its ‘Essential Eight’ maturity model. The ASD in early 2017 unveiled the Essential Eight mitigation strategies.
The ACSC’s ‘cyber security principles’:
G1: A Chief Information Security Officer provides leadership and oversight of cyber security.
G2: The identity and value of systems, applications and information is determined and documented.
G3: The confidentiality, integrity and availability requirements of systems, applications and information is determined and documented.
G4: Security risk management processes are embedded into organisational risk management frameworks.
G5: Security risks are identified, documented, managed and accepted both before systems and applications are authorised for use, and continuously throughout their operational life.
P1: Systems and applications are designed, deployed, maintained and decommissioned according to their value and their confidentiality, integrity and availability requirements.
P2: Systems and applications are delivered and supported by trusted suppliers.
P3: Systems and applications are configured to reduce their attack surface.
P4: Systems and applications are administered in a secure, accountable and auditable manner.
P5: Security vulnerabilities in systems and applications are identified and mitigated in a timely manner.
P6: Only trusted and supported operating systems, applications and computer code can execute on systems. Australian Government Information Security Manual SEPTEMBER 2019 2
P7: Information is encrypted at rest and in transit between different systems.
P8: Information communicated between different systems is controlled, inspectable and auditable.
P9: Information, applications and configuration settings are backed up in a secure and proven manner on a regular basis.
P10: Only trusted and vetted personnel are granted access to systems, applications and data repositories.
P11: Personnel are granted the minimum access to systems, applications and data repositories required for their duties.
P12: Multiple methods are used to identify and authenticate personnel to systems, applications and data repositories.
P13: Personnel are provided with ongoing cyber security awareness raising and training.
P14: Physical access to systems, supporting infrastructure and facilities is restricted to authorised personnel.
D1: Cyber security events and anomalous activities are detected, collected, correlated and analysed in a timely manner.
R1: Cyber security incidents are identified and reported both internally and externally to relevant bodies in a timely manner.
R2: Cyber security incidents are contained, eradicated and recovered from in a timely manner.
R3: Business continuity and disaster recovery plans are enacted when required.