Australian Cyber Security Centre updates security framework for CIOs, CISOs

The cyber security principles is to provide strategic guidance on how organisations can protect their systems and data.

The Australian Cyber Security Centre has released its latest update of the Australian Government Information Security Manual.

The purpose of the Australian Government Information Security Manual (ISM) is to outline a cyber security framework that organisations can apply, using their risk management framework, to protect their systems and information from cyber threats.  The ISM is intended for Chief Information Security Officers (CISOs), Chief Information Officers (CIOs), cyber security professionals and information technology managers.

The purpose of the cyber security principles is to provide strategic guidance on how organisations can protect their systems and information from cyber threats.

These cyber security principles are grouped into four key activities: govern, protect, detect, and respond.

  • Govern: Identifying and managing security risks.
  • Protect: Implementing security controls to reduce security risks.
  • Detect: Detecting and understanding cyber security events.
  • Respond: Responding to and recovering from cyber security incidents.

Govern principles

  • A Chief Information Security Officer provides leadership and oversight of cyber security.
  • The identity and value of systems, applications and information is determined and documented.
  • The confidentiality, integrity and availability requirements of systems, applications and information is determined and documented.
  • Security risk management processes are embedded into organisational risk management frameworks.
  • Security risks are identified, documented, managed, and accepted both before systems and applications are authorised for use, and continuously throughout their operational life.

Protect principles

  • Systems and applications are designed, deployed, maintained, and decommissioned according to their value and their confidentiality, integrity, and availability requirements.
  • Systems and applications are delivered and supported by trusted suppliers.
  • Systems and applications are configured to reduce their attack surface.
  • Systems and applications are administered in a secure, accountable, and auditable manner.
  • Security vulnerabilities in systems and applications are identified and mitigated in a timely manner. Only trusted and supported operating systems, applications and computer code can execute on systems.
  • Information is encrypted at rest and in transit between different systems.
  • Information communicated between different systems is controlled, inspectable and auditable. Information, applications, and configuration settings are backed up in a secure and proven manner on a regular basis.
  • Only trusted and vetted personnel are granted access to systems, applications, and data repositories. Personnel are granted the minimum access to systems, applications and data repositories required for their duties.
  • Multiple methods are used to identify and authenticate personnel to systems, applications, and data repositories.
  • Personnel are provided with ongoing cyber security awareness training.
  • Physical access to systems, supporting infrastructure and facilities is restricted to authorised personnel.

Detect principles

  • Cyber security events and anomalous activities are detected, collected, correlated and analysed in a timely manner.

Respond principles

  • Cyber security incidents are identified and reported both internally and externally to relevant bodies in a timely manner.
  • Cyber security incidents are contained, eradicated, and recovered from in a timely manner.
  • Business continuity and disaster recovery plans are enacted when required. Maturity modelling When implementing the cyber security principles, organisations can use the following maturity model to assess the implementation of either individual principles, groups of principles or the cyber security principles as a whole.

The five levels in the maturity model are:

  • Incomplete: The cyber security principles are either partially implemented or not implemented. Initial: The cyber security principles are implemented, but in a poor or ad hoc manner.
  • Developing: The cyber security principles are sufficiently implemented, but on a project-by-project basis.
  • Managing: The cyber security principles are established as standard business practices and robustly implemented throughout the organisation.
  • Optimising: A deliberate focus on optimisation and continual improvement exists for the implementation of the cyber security principles throughout the organisation.

Controlling physical access to network devices

Adequate physical protection should be provided to network devices, especially those in public areas, to prevent an adversary physically damaging a network device with the intention of interrupting services.

Physical access to network devices can also allow an adversary to reset devices to factory default settings by pressing a physical reset button, connecting a serial interface to a device or connecting directly to a device to bypass any access controls. Resetting a network device to factory default settings may disable security settings on the device including authentication and encryption functions as well as resetting administrator accounts and passwords to known defaults.

Even if access to a network device is not gained by resetting it, it is highly likely a denial of service will occur. Physical access to network devices can be restricted through methods such as physical enclosures that prevent access to console ports and factory reset buttons, mounting devices on ceilings or behind walls, or placing devices in locked rooms or cabinets.

 

Leave a Comment

Related posts