PRINCIPLES
Australian Government
Information Security Manual
Australian Government
Information Security Manual
PRINCIPLES
2015
© Commonwealth of Australia 2015
All material presented in this publication is provided under a Creative Commons Attribution 3.0 Australia licence. For the avoidance of doubt, this means this licence only applies to material as set out in this document.
The details of the relevant licence conditions are available on the Creative Commons website as is the full legal code for the CC BY 3.0 AU licence.
http://creativecommons.org/licenses/by/3.0/au/deed.en http://creativecommons.org/licenses/by/3.0/legalcode Use of the Coat of Arms
The terms under which the Coat of Arms can be used are detailed on the Department of the Prime Minister and Cabinet’s website.
http://www.dpmc.gov.au/guidelines/index.cfm Contact us
Inquiries regarding the licence and any use of this document are welcome at: Australian Signals Directorate
PO Box 5076 Kingston ACT 2604 1300 CYBER1 (1300 292 371) [email protected]
FOREWORD
Foreword
In recent years, the Australian Government has made great advances in bringing its business online. The benefits of government information and communications technology (ICT) systems and services becoming increasingly connected will continue as the government makes the most of new technologies. However, this new, connected way of doing business also creates opportunities for adversaries to gain an advantage by exploiting these technologies to access information of national importance.
As our intrusion detection, response, mitigation and threat assessment capabilities continue to improve, so too do the skills of cyber threat actors. This requires us to be vigilant, flexible and proactive in our approach to cyber and information security.
A strong security is not a trivial process — it requires ongoing vigilance and resources. By continually hardening our defences, we have a greater chance of protecting the information entrusted to us.
The Australian Government Information Security Manual (ISM) comprises three complementary documents designed to provide greater accessibility and understanding at all levels of
government. This Principles document details the guiding principles and rationale to assist senior decision makers in developing informed risk–based information security policies within their organisations.
I commend you on your agency’s efforts to strengthen your cyber and information security and trust you’ll continue to keep security as an agency priority.
Dr Paul Taloni Director
CONT ENTS
Contents
Foreword iii
INFORMATION SECURITY: COUNTERING
THE THREAT 1
The Threat Environment 2
Countering the Cyber Threat 6
The Australian Government Information Security Manual 8
ASD’s Role 10
PRINCIPLES 11
Information Security Risk Management 12
Outsourced Information Technology Services 14
Roles and Responsibilities 16
Information Security Documentation 17
System Accreditation 19
Information Security Monitoring 22
Cyber Security Incidents 24
Physical Security 27
Personnel Security 29
Communications Infrastructure 31
Communications Systems and Devices 33
PSPF Mandatory Requirement INFOSEC 4 Explained 35
Product Security 37 Media Security 39 Software Security 42 Email Security 45 Access Control 47 Secure Administration 49 Network Security 50 Cryptography 53
INFORMATION
SECURITY:
COUNTERING
THE THREAT
INFORMATION SECU RITY: COUN TE RIN G TH E THRE AT
Information Security: Countering
the Threat
The Threat Environment
Advances in information and communications technology (ICT) are allowing for greater accessibility, mobility, convenience, efficiency and productivity across almost all aspects of Australian life. Australia’s national security, economic prosperity and social wellbeing now depend on ICT, and the Internet in particular. The security of sensitive government and commercial information, the security of our digital infrastructure, and public and international confidence in Australia as a safe place to do business online are critical to our future.
Because any Internet–connected device or computer system is highly susceptible to malicious cyber activity, our dependence on ICT also brings greater exposure to threats. The threat is not limited to classified systems and information. A wide range of institutions, both public and private, have been subjected to malicious cyber activities.
Australia continues to be the target of persistent and sophisticated cyber exploitation activity by malicious actors. The most prevalent threat to Australian networks is cyber exploitation; that is, activity by malicious actors to covertly collect information from ICT systems. Australia is also threatened by the possibility of cyber attack—offensive activity designed to deny, degrade, disrupt or destroy information or ICT systems.1
Tools and Techniques
Malicious software (malware) is the main tool used to gain unauthorised access to computers, steal information and disrupt or disable networks. Since malware—along with instructions and guidance for its use—is readily available on the Internet, anyone with intent is able to access the tools and information needed to undertake malicious cyber activity. Examples of malware include trojans—programs which seem legitimate but provide malicious actors with a backdoor into systems—as well as spyware, a general term for programs that covertly monitor and collect information from a system. Information stolen can be used to craft targeted cyber intrusions, create false identities, or even facilitate access into more valuable commercial or government systems. Any computer compromised by malware has the potential to be invisibly conscripted into networks of compromised Internet–connected computers, known as botnets. Botnets are used to send spam, steal information, distribute malware and conduct attacks on a larger scale.
1 Symantec Corporation, Internet Security Threat Report 2013, 2013.
In 2012 there were 74,000 new unique malicious web domains.1
D
ID Y
O
U K
N
O
W
?
In 2012 there were 74,000 new unique malicious web domains.1D
ID Y
O
U K
N
O
W
?
IN FORMAT ION SECURITY: COUNT ERING T HE T HREAT
A commonly used technique to spread malware is social engineering, in which malicious emails are tailored to entice the reader to open them. Unsuspecting users may be tempted to open malicious email attachments or follow embedded links to malicious websites—either action could lead to a compromise. These campaigns are becoming increasingly tailored and credible. Malicious emails often appear to be from someone the reader knows, such as their employer, colleague or friend. Some even have convincing– looking commercial logos and signatures and target a specific personal interest or a subject matter relevant to their work. Malicious websites can be equally convincing. They can masquerade as a legitimate site used by an individual, such as their personal banking website, in order to mislead them into revealing personal information.2
Actors
The Australian Signals Directorate (ASD), through the Australian Cyber Security Centre (ACSC), communicates key assessments to government regarding the actors and trends observed in the Australian cyber threat environment.
Users
Cyber exploitation and cyber crime are unintentionally enabled by everyday users at home, at work or on mobile computing devices. Many users still assume that responsibility for information security rests with the organisations with which they interact, such as banks and online retailers. However, even the best technical security measures can be defeated by inappropriate user behaviour. Some users, in particular individuals and small businesses, are more vulnerable due to a general lack of awareness of cyber threats and relatively low resources devoted to information security.
Users are targets in themselves for cyber crimes such as fraud and identity theft. When compromised, users can also become unintentional enablers of malicious cyber activity. The increasingly interconnected nature of our private, public and work ICT means that malware accidentally downloaded on one system can quickly lead to the infection of other devices across different environments. Inadvertently visiting the wrong website or opening the wrong email attachment can have wider consequences, including the conscription of the device into a botnet—which can then be used to facilitate large–scale cyber crime or cyber attacks—or establish an access point into a connected personal, commercial or government system.3 Healthcare, education and government accounted for nearly two–thirds of all identities breached in 2012.2
D
ID Y
O
U K
N
O
W
?
Healthcare, education and government accounted for nearly two–thirds of all identities breached in 2012.2D
ID Y
O
U K
N
O
W
?
In 2012, more than 80% of the threats observed by Sophos were redirects, mostly from legitimate sites that had been hacked.3D
ID Y
O
U K
N
O
W
?
In 2012, more than 80% of the threats observed by Sophos were redirects, mostly from legitimate sites that had been hacked.3D
ID Y
O
U K
N
O
W
?
INFORMATION SECU RITY: COUN TE RIN G TH E THRE AT
Malicious Actors
Australia is an attractive target for cyber exploitation due to its prominent role in the Asia–Pacific region and major international organisations, and its strong diplomatic, defence and intelligence relationship with the United States. Australia’s wealth, resource industries and niche expertise in some research and development fields also motivate actors to target Australia. Information collected through cyber exploitation could be used to gain a relative economic, diplomatic or political advantage against Australia. It can also be used to bridge a technological gap. By stealing, for instance, intellectual property malicious actors are able to access new technologies while circumventing costly and lengthy research and development programs. Personal information gathered, such as financial or medical records, could also be used to enable malicious activities through techniques such as social engineering. 4
State–sponsored actors work on behalf of a foreign entity and are the most active malicious adversaries ASD has observed. They are also the most sophisticated and best resourced adversaries. State–sponsored actors seek national security information to identify vulnerabilities in our capabilities or to gain a strategic advantage. However, malicious activity often has an economic focus, with targeting of Australia’s commercial sectors (for example, the resources, banking and telecommunications sectors) also prevalent.
Issue–motivated groups often seek to disrupt and embarrass governments, international organisations and multinational corporations in an expression of anti– establishment protest. These groups typically undertake acts in response to specific controversial events or incidents, or to coincide with significant dates or major events. Loosely coordinated international hacker groups, such as Anonymous and LulzSec, have gained notoriety and demonstrated their intent and capability to conduct cyber attacks and data theft against a wide variety of high‑profile targets, including Australian government agencies. Citing a range of idealistic motivations, such as fighting for individual freedoms, calling for government transparency and opposing censorship, as well as simply for malicious ‘fun’, the groups often exploit common and
relatively unsophisticated techniques to achieve their aims. For the most part, these attacks have been embarrassing and inconvenient; however, the disclosure of sensitive commercial or government information can threaten national interests, for example through the loss of consumer confidence in Australia’s digital economy.5
4 McAfee Labs, McAfee Threats Report: Second Quarter 2013, 2013.
5 Australian Competition Consumer Commission, Targeting Scams: Report of the ACCC on scam activity in 2012, 2013. The Australian Competition and Consumer Commission reported a loss of $93 million as a result of scams, a 9% increase from 2011.5
D
ID Y
O
U K
N
O
W
?
The Australian Competition and Consumer Commission reported a loss of $93 million as a result of scams, a 9% increase from 2011.5D
ID Y
O
U K
N
O
W
?
In the first half of 2013 the number of new mobile malicious software samples detected exceeded 30,000. The vast majority of this malware targeted the android platform.4
D
ID Y
O
U K
N
O
W
?
In the first half of 2013 the number of new mobile malicious software samples detected exceeded 30,000. The vast majority of this malware targeted the android platform.4D
ID Y
O
U K
N
O
W
?
IN FORMAT ION SECURITY: COUNT ERING T HE T HREAT
Cyber criminals are following legitimate businesses online to create new opportunities for profit. The nature of the Internet—borderless, anonymous, easily accessible and holding high volumes of financial, commercial and personal information—has boosted the incentives for committing cyber crime and allowed its organisation to become more audacious, efficient and effective.
A prolific and increasingly professional underground market of malicious cyber tools and services exists on the Internet. This market includes the sale or hire of criminal malware and botnets, guidance, recruitment and trading in stolen information such as credit card details and intellectual property.
Criminals are becoming less content with simple, indiscriminate spam and fraud attempts, and are developing sophisticated, customised malware that targets emerging technologies, social media and mobile computing devices. The last few years have also seen a proliferation of target–specific malware aimed at, for example, particular banks, types of ATMs and financial exchanges.
Conclusion
The incentives for, and capability to conduct, malicious activity in cyberspace will be enhanced by a combination of observed trends.
Motivation is increasing. Australia’s increasing reliance on the Internet is leading to more high–value information being stored and communicated on Australian government and commercial networks. This is boosting the incentive to undertake cyber crime or exploitation for direct monetary profit or indirect economic and political advantage.
Capability is easier to acquire. Acquiring a cyber capability is becoming easier with increasingly sophisticated tools, information, and guidance readily available online. New technologies will generate new vulnerabilities. The proliferation of new
technologies will increase the number of potential vulnerabilities. Of note, the growth in cloud computing and expanding use of mobile computing devices, such as smartphones, laptops and tablet computers, will generate more platforms—with distinct software, settings and applications—and more users to exploit.
The spectrum of malicious actors is expanding. The ease of acquiring a cyber capability coupled with the potential high gains—whether financial, economic, diplomatic or political—is enticing more actors into malicious cyber activity.
INFORMATION SECU RITY: COUN TE RIN G TH E THRE AT
Countering the Cyber Threat
Malicious cyber activity will continue to challenge Australia’s national security, economic prosperity and social wellbeing. As cyber threats become increasingly sophisticated and targeted, cyber security incidents can have significant and direct impacts on organisations. However, properly assessing the security risks specific to your organisation can help to minimise your vulnerability to cyber threats.
Questions Senior Management Need to Consider
Are you confident that your networks are not currently compromised? Is the security culture of your organisation a strength or a weakness? Here are five questions you should discuss with your information security team to review your organisation’s security measures.
What would a serious cyber security incident cost our organisation?
Good information security is like an insurance policy. Good security can avoid direct costs of clean–up and also indirect costs such as downtime, lost productivity and loss of reputation and confidence in your organisation. If customer records, financial data or intellectual property were stolen, could you quickly and accurately determine what was lost? What if you had to take a system offline to conduct a forensic or legal investigation?
Who would benefit from having access to our information?
Your information is valuable. There are many state and non–state actors who would benefit from having access to your agency’s information. Identify critical information, the confidentiality, integrity and the availability of which is essential to the ongoing function of your organisation. It is important to consider the aggregated value of your information, not only the value of individual records. Every organisation faces different threats and security risks, and needs to deal with them in different ways.
What makes us secure against threats?
Security is an ongoing process, not a product. As cyber intrusions become more sophisticated and targeted, so do information security techniques and processes. To secure your organisation against threats, make sure appropriate security governance, clearly defined policy, user education and third party assessments are in place, as they are all vital parts of information security. There is no silver bullet for information security and security products alone are not a solution.
Is the behaviour of my staff enabling a strong security culture?
Staff education is key. It only takes one malicious email attachment to be opened or one malicious website to be accessed to potentially compromise your whole business. Effectively trained staff enable a strong security culture. Responsibility for information is shared amongst all members of your organisation, so all staff should be aware of the threat to reduce the security risk of valued information being stolen.
IN FORMAT ION SECURITY: COUNT ERING T HE T HREAT
Are we ready to respond to a cyber security incident?
Will a compromise affect your continuity? Sadly, many organisations generally do not take information security seriously until they have been compromised. Your systems could be taken offline by an attack, for example through a Denial of Service attack (an attempt to flood networks with unwanted traffic to disrupt or degrade services), affecting the availability and resilience of your network. Having access to current threat information, including the likelihood and consequences, will enable informed risk assessments. By assessing the risk and allocating adequate resources to protect your information security assets, your organisation can build a stronger security foundation and improve resilience.
Most organisations conduct fire drills—perhaps it’s also time to test your resilience against a serious cyber security incident.
INFORMATION SECU RITY: COUN TE RIN G TH E THRE AT
The Australian Government Information
Security Manual
The ISM, issued by ASD, is the Government’s flagship product designed to assist Australian government agencies in applying a risk–based approach to protecting their information and ICT systems. This manual supports the guiding principles and strategic priorities outlined in the Australian Government Cyber Security Strategy by providing detailed information about the cyber security threat, as well as assisting agencies in determining appropriate controls to protect their information and systems.
While there are other standards and guidelines designed to protect information systems, the advice in the ISM is specifically based on activity observed by ASD on Australian government networks.
Format
The ISM is comprised of a high level ‘principles based’ document and a detailed Controls manual, further complemented by an ‘Executive Companion’. This format is designed to be more accessible to a wider audience across all levels of government to improve awareness of information security issues.
This product suite targets different areas of your agency to ensure that key decision makers across government are made aware of and involved in countering threats to their information and ICT systems.
Information Security Manual
Executive
Companion
Information Security
Principles
Information Security
Controls
Device Specific Guides
Protect Publications
IN FORMAT ION SECURITY: COUNT ERING T HE T HREAT
These products are designed to complement each other and provide agencies with the necessary information to make informed decisions based on their own business requirements, specific circumstances and risk appetite.
The Executive Companion is targeted towards the most senior executives in each agency, such as Deputy Secretaries, Secretaries and Chief Executive Officers, and comprises broader strategic messaging about key information security issues.
The Principles document is aimed at Security Executives, Chief Information Security Officers, Chief Information Officers and senior decision makers across government and focuses on providing agencies with a better understanding of the cyber threat environment and rationale to assist agencies in developing informed information security policies within
their organisations.
The Controls manual is aimed at IT Security Advisors, IT Security Managers and security practitioners across government. This manual provides a set of detailed controls that, when implemented, will help agencies adhere to the higher level Principles document.
ASD information security policies and guidance produced in addition to this manual may address device and scenario–specific security risks to government information and systems. Not all ISM requirements can be implemented on all devices or in all environments. Where stipulated, these take precedence over the platform non–specific advice in this manual. ASD produces information security policies and guidance in addition to this manual, such as Australian Communications Security Instructions (ACSI), consumer guides, hardening guides and Protect publications.
Compliance
The ISM Controls Manual provides agencies with detailed security measures that can be implemented to mitigate risks to their information and systems. Agencies are encouraged to make informed, risk–based decisions specific to their unique environments, circumstances and risk appetite.
There are two categories of compliance associated with the controls in this manual—‘must’ and ‘should’. These compliance requirements are determined according to the degree of security risk an agency will be accepting by not implementing the associated control. ASD’s assessment of whether a control is a ‘must’ or a ‘should’ is based on ASD’s experience in providing cyber and information security advice and assistance to the Australian government and reflect what ASD assesses the risk level to be. Agencies may have differing risk
environments and requirements, and may have other mitigations in place to reduce the residual risk to an acceptable level.
INFORMATION SECU RITY: COUN TE RIN G TH E THRE AT
ASD’s Role
What ASD can do for you
As directed by the Intelligence Services Act 2001, ASD provides foreign signals intelligence as well as advice and assistance on matters relating to the security and integrity of electronic information. These twin missions complement each other, with the skillsets and capabilities required to be an expert at one being precisely those required to master the other. It is the same reasoning why Australia’s signals intelligence and information security functions were co– located in the Defence Signals Bureau—the forerunner of ASD—more than 60 years ago. As the Commonwealth authority on information security, and informed by its signals intelligence expertise and capabilities, ASD can provide agencies with advice and assistance as well as further information on the cyber threat. ASD conducts a number of workshops and forums with IT Security Advisors throughout the year to facilitate open discussion on countering the cyber threat. These discussions focus on the challenges faced by Australian government agencies in protecting their information and systems.
The Australian Cyber Security Centre (ACSC) includes representatives from ASD, the Australian Crime Commission, the Australian Defence Force, the Australian Federal Police, the Australian Security Intelligence Organisation, the Defence Intelligence Organisation and the Computer Emergency Response Team (CERT) Australia. The ACSC leads the Australian Government's operational response to cyber security incidents, organises national cyber security operations and resources, manages cyber security incident reporting, and analyses and raises awareness of the cyber threat to Australia.
What you can do for ASD
Successfully protecting Australian networks from an increasingly sophisticated and persistent cyber threat requires strong collaboration. While ASD can provide technical advice and assistance, we can not tackle this challenge alone. Reporting of cyber security incidents provides ASD with greater visibility of the threat environment and assists in the prevention of cyber intrusions on Australian government networks.
While the information in the ISM is extensive, it represents advice at a point in time as technology and the threat environment continue to evolve. Please keep us informed on how we can continue to provide tailored advice that best meets the needs and requirements of your agency. ASD will focus on providing advice according to where it is most needed.
Contact
PRIN CIPLES : I NFO RMATION S ECU RITY R IS K MAN AG EME N T
Principles
Information Security Risk Management
Rationale
Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level.
The ISM is designed as a tool to assist Australian government agencies to risk–manage the protection of their information and systems. It represents best practice in mitigating or minimising the threat to Australian government systems. However, there is no one–size–fits–all approach to information security. Taking a risk management approach to information security provides agencies with the flexibility to allow for differences in their environment when making security decisions. Agencies will have different security requirements, business needs and risk appetites from one another. It may not be possible or appropriate for an agency to implement all security controls included in the Controls manual.
Information security risk management requires agencies to understand the security risks they face, to make informed decisions when using technology. Understanding the risk environment specific to your agency will also enable greater flexibility and adaptability in responding to changes to that environment as the threat landscape evolves.
Scope
This chapter describes the expectations on Australian government agencies in taking a risk management approach to information security.
Principles
1. Requirement to Adopt a Risk Management Approach
Provide accountable authorities with a holistic understanding of their security posture by incorporating information security into an agency’s broader risk management practices.
It is a mandatory requirement of the Australian Government Protective Security Policy Framework that agencies adopt a risk management approach to cover all areas of protective security across their organisation. Since an agency’s risk owner is accountable for an information or cyber security incident, it is important they are made aware of any residual risks to agency information and systems through a formal approval process. Information security should therefore be incorporated into an agency’s broader risk management practices.
PR IN CIPLES : I NFORMAT ION S ECURITY R ISK MANAGEMENT
2. Information Security Risk Management Process
Implement a risk management approach to information security by identifying, analysing, evaluating and, where appropriate, treating security risks to information and systems.
Risk management allows agencies to balance the operational and economic costs of information security measures with the need to protect the information and systems that support their organisational functions.
The process of identifying, analysing and evaluating information security risks can help agencies select security controls suitable for their unique business environments. Risks deemed unacceptable are treated by implementing appropriate security measures. Risks deemed acceptable, as well as any residual security risks, are formally accepted by an appropriate authority.
The ISM communicates potential information security risks faced by Australian government agencies. It can assist agencies in understanding the consequences of non–compliance with advised security controls and whether such non–compliance presents an acceptable level of risk. The ISM Controls manual provides guidance on appropriate risk mitigation strategies. As a whole–of–government policy document, the advice in the ISM is necessarily device and agency non–specific. Not all ISM requirements can be implemented on all devices or in all environments. In these cases, device–specific advice issued by ASD may take precedence over the advice in the ISM. Agencies should familiarise themselves with other documentation suites issued by ASD. Relevant documentation is referenced in each section of the ISM Controls manual.
References
Further information on risk management and protective security requirements can be found in the Australian Government Protective Security Policy Framework, available at
www.protectivesecurity.gov.au.
For further guidance please refer to the Australian Standard for Risk Management AS/NZS ISO 31000:2009, the Australian Standards HB 167:2006 Security risk management and HB 327:2010 Communicating and consulting about risk.
The Protective Security Training College, managed by the Attorney–General’s Department, provides formal training opportunities on the subject of security risk management: www.ag.gov.au/NationalSecurity/ProtectiveSecurityTraining/Pages/default.aspx.
PRIN CIPLES : O UTSOURCED I N FORMATION T E CH NOLOG Y S E Rv ICES
Outsourced Information Technology Services
Rationale
Outsourcing can be a cost–effective option for providing information technology services and functions in an agency, as well as potentially delivering a superior service. However, it can also affect an agency’s risk profile and control over its threat environment. Storing data in multiple disparate locations and allowing more people to access agency information can significantly increase the potential for network infection and information loss or compromise.
Cloud computing—abstracted, scalable ICT
infrastructure that can be leased to customers—is one of the most significant shifts affecting ICT services. Circumventing the need for infrastructure management has clear financial and operational benefits for
agencies. However, due to the Internet–connected nature of cloud computing, any data stored on this type of network is vulnerable to malicious cyber activity. Moreover, the physical data storage location— and the people responsible—will not necessarily be known to the customer. This diminishes customer control over threat mitigation and response and increases the threat from malicious insiders.
Scope
This chapter provides information on outsourced information technology, including cloud computing, services.
Principles
1. Outsourced General Information Technology Services
Maintain the confidentiality, integrity and availability of information by ensuring information technology service providers, including cloud service providers, implement appropriate security measures to protect government information. Agency privacy and security obligations for protecting government information are no different when using an outsourced information technology service, including a cloud computing service. Ensuring that service provider systems are formally accredited provides some assurance that official, sensitive or classified governmant information is receiving an appropriate level of protection.
Performing a due diligence review of suppliers before obtaining software, hardware or services will assist agencies in determining whether security measures need to be taken to mitigate the threats arising from potential supply chain exploitation.
The contract or service agreement between an agency and their service provider must address mitigations to governance, privacy and security risks, otherwise the customer only has vendor promises and marketing claims that can be hard to verify and may be unenforceable.
In 2011, 41% of data breaches were caused by a third party, namely outsourcers, cloud providers or business partners that handled or accessed the organisation's information.6
D
ID Y
O
U K
N
O
W
?
In 2011, 41% of data breaches were caused by a third party, namely outsourcers, cloud providers or business partners that handled or accessed the organisation's information.6D
ID Y
O
U K
N
O
W
?
PRIN CIPLES : OUTSOURCED IN FORMATION TEC HNOLOGY SERvICES
2. Outsourced Cloud Services
Maintain the confidentiality, integrity and availability of information by applying ASD's recommended risk mitigation strategies when using outsourced cloud services.
Outsourced cloud services can affect an agency's risk profile. Cloud services located offshore are subject to foreign countries' laws and may be subject to lawful and covert collection. A comprehensive risk assessment is essential in identifying and managing jurisdictional, governance, privacy, technical and security risks. ASD maintains a list of cloud services that have been certified by ASD to assist agencies in making risk‑based decisions when using cloud services.
References
Additional information regarding cloud computing security considerations can be found via the ASD website at www.asd.gov.au/infosec/cloudsecurity.htm.
The Australian Government Information Management Office (AGIMO) is the lead agency for whole–of–government policy on cloud computing. Relevant documentation can be found at www.finance.gov.au/cloud/.
ASD maintains a list of cloud services that have been certified by ASD, which can be found via the ASD website at www.asd.gov.au/infosec/ccsl.
Better practice guidance developed by the Attorney–General’s Department can be found in Security of Outsourced Services and Functions at www.protectivesecurity.gov.au.
PRIN CIPLES : R OLES AND R E S PONS IBILITIES
Roles and Responsibilities
Rationale
Managing information security at the senior executive level provides agencies with strategic–level guidance that ensures compliance with national policy, standards, regulation and legislation. Further, senior support best ensures an agency’s ability to restore business–critical services to an operational state in the event of a disaster.
Duties should be assigned to individuals with an appropriate level of authority, access to information and resources, technical expertise and time to dedicate to meeting these responsibilities. Agencies should also ensure there is sufficient separation of duties to provide quality assurance and avoid any actual or perceived conflict of interest.6
Scope
This chapter describes roles and responsibilities concerning information security.
Principles
1. Visibility
Provide personnel, including decision makers, with sufficient information to perform their duties by adopting a robust and effective governance framework. An effective information security governance framework will provide decision makers with a current, accurate and holistic understanding of the threat environment, enabling them to make informed risk–based decisions in relation to information security. It is also important to ensure that this information is passed to system owners and stakeholders and that it is considered during accreditation activities.
2. Accountability
Ensure duties are undertaken at an appropriate level and conducted accountably by adopting a governance framework with clearly defined roles and responsibilities. A strong governance framework will promote accountability and ensure that all duties are appointed to individuals with an appropriate level of authority.
3. Probity
Reduce the likelihood of an actual or perceived conflict of interest by maintaining clear separation of duties.
The separation of duties can prevent an actual or perceived conflict of interest. For instance, there can be a conflict of interest in a system owner assessing the security of their own system.
References
Nil.6 Ponemon Institute, 2009 Annual Study: Cost of a Data Breach — Understanding Financial Impact,
The leadership of a Chief Information Security Officer or equivalent position can substantially reduce the overall cost of data breaches.7
D
ID Y
O
U K
N
O
W
?
The leadership of a Chief Information Security Officer or equivalent position can substantially reduce the overall cost of data breaches.7D
ID Y
O
U K
N
O
W
?
P RIN CIPLES : I NFORMATI ON S ECURITY D OCUMENTATION
Information Security Documentation
Rationale
Documentation is vital to any information security regime, as it supports the accurate and consistent application of policy and procedures within an agency. Documentation also provides increased accountability and a standard against which compliance can be measured.
The following suite of documents forms the Information Security Management Framework, as mandated in the Australian Government Information Security Management Protocol of the Australian Government Protective Security Policy Framework:
1. Information security policy. To set the strategic direction for an agency’s information security and allow management to communicate its goals and expectations.
2. Security risk management plan. To identify security risks and appropriate mitigation measures for systems and determine a risk tolerance threshold, ensuring risks are able to be managed in a coordinated and consistent manner across an agency.
3. System security plan. To ensure specific security measures for the implementation and operation of a specific system are adequately communicated and considered.
4. Standard operating procedures. To assist personnel to follow security procedures in an appropriate and uniform manner, with a minimum level of confusion.
5. Incident response plan. To communicate which actions to take in response to a cyber security incident, with sufficient flexibility, scope and detail to address the majority of incidents which could arise.
6. Emergency procedures. To ensure information and systems are properly secured before personnel evacuate a facility, as emergency situations can be exploited as an opportunity for a malicious actor to gain access to systems.
7. Business continuity and disaster recovery plans. To help maintain security in the face of unexpected events and changes by ensuring critical functions continue to operate when a system is working in a degraded state or reducing the time between when a disaster occurs and critical functions being restored.7
To avoid confusion and ensure information security policy and procedures are properly applied, it is essential that all documents work in concert with, and not contradict, each other. Clear and logical wording will ensure the documents are easy to use and, consequently, effective.
Three out of four companies across ten countries—including Australia—have security policies in place.
However, 40% of employees and 20% of IT professionals did not know that the security policies existed.8
ID Y
O
U K
N
O
W
?
Three out of four companies across ten countries—including Australia—have security policies in place.
However, 40% of employees and 20% of IT professionals did not know that the security policies existed.8
ID Y
O
U K
N
O
W
?
PRIN CIPLES : I NFO RMATION S ECU RITY D OCUMEN TAT ION
The cyber threat environment is dynamic—so too are agency business requirements. If an agency fails to keep its information security documentation current through regular reviews to reflect the changing environment, their security measures and processes may cease to be effective. In that situation, resources could be devoted to areas that have reduced effectiveness, or are no longer relevant.
Scope
This chapter describes the development of information security documentation for systems.
Principles
1. Information Security Documentation
Apply agency policy and procedures consistently and accountably by adopting a comprehensive suite of information security documentation, which is regularly reviewed and tailored to specific systems and user roles.
An appropriate and interconnected suite of information security documentation assists in the proper, consistent and accountable application of policy and procedures within an agency. Agencies need to communicate new or altered policies and procedures to stakeholders to ensure they are properly implemented.
References
Information on the development of security risk management plans can be found in the Information Security Risk Management Guidelines available from Standards Australia at www.standards.org.au.
Information relating to the Information Security Management Framework is contained in the Australian Government Information Security Management Protocol of the Australian Government Protective Security Policy Framework, which can be found at
P R IN CIPLES : S YSTEM A CC REDITATION
System Accreditation
Rationale
Accreditation is the process by which an appropriate authority formally recognises and accepts that residual risks on a system are appropriate for the classification of the information that it processes, stores or communicates. Agencies must accredit all systems before they can be put into operation. Accreditation provides agencies with assurance that either sufficient security measures have been put in place on their systems or deficiencies in such measures have been accepted by an appropriate authority. The following diagram shows, at a high level, the process of accreditation:
System Owner Accreditation Authority Certification Authority Assessor
Requests accreditation Requests reaccreditation Requests certification Requests audit Conducts first stage audit Implements controls Conducts second stage audit Assess audit report and residual risk Awards certification Assesses certification report Assesses residual
risk and other factors Awards accreditation
PRIN CIPLES : S YSTEM ACCRE DITATION
The accreditation process does not only apply to new systems. It is important that systems are reaccredited as the information technology and cyber threat environments continue to evolve. Performing regular accreditation facilitates understanding of a current system's security environment and provides assurance that information systems are of a standard that meet the agency’s security requirements. Once a system has been accredited, conducting continual monitoring activities will assist in assessing changes to its environment and operation to determine the implications for the risk profile and accreditation status of the system. When accrediting a system, it is also important to remain aware of legislative and policy requirements if a system is connecting to another party. Agencies should ensure they are aware of the security measures the other party has implemented to protect their information, and accept any risks associated with connecting to such systems. Further, it is vital that Australian citizens maintain control of systems that process, store and communicate Australian Eyes Only (AUSTEO) and Australian Government Access Only (AGAO) information.
Scope
This chapter describes the accreditation framework for systems and agencies’ responsibilities.
Principles
1. Accreditation Framework
Ensure that an appropriate level of security is being applied to agency systems, and that any residual risks have been accepted, by adopting a robust accreditation framework.
An appropriate accreditation framework will comprise clear lines of accountability and a segregation of roles and responsibilities to provide agencies with an impartial mechanism to assess the security of their systems.
2. Conducting Security Assessments or Audits
Certify agency systems under the accreditation framework by conducting impartial security assessments, also known as audits.
The aim of a security assessment or audit is to review the system architecture (including the information security documentation) and assess the actual implementation, appropriateness and effectiveness of controls for a system. Security assessment or audits are typically undertaken by Information Security Registered Assessors.
The outcome of a security assessment or audit is a report to the certification authority describing areas of compliance and non–compliance for a system and any suggested
remediation actions. The compliance report helps the certification authority assess the residual risk relating to the operation of a system following the security assessment or audit and any remediation activities the system owner may have undertaken.
3. Conducting Certifications
Independently verify the integrity and accept the outcome of an audit by certifying a system as part of the accreditation framework.
P R IN CIPLES : S YSTEM A CC REDITATION
Certification provides the accreditation authority with information on the security posture of a system. This allows the accreditation authority to make an informed decision on whether the residual risk of allowing the system to operate is acceptable. The certification authority is typically the officer responsible for overseeing information technology security management across the agency. However, ASD acts as the certification authority in the case of TOP SECRET systems.
Certification for a system will be awarded once a certification authority is satisfied that the system has been appropriately assessed and the controls identified by the system owner have been implemented and are operating effectively. The certification authority can then make a recommendation to the accreditation authority on whether to award accreditation or not based on an assessment of the residual risk relating to the operation of the system.
4. Conducting Accreditations
Accept that the residual security risks on an agency system are appropriate for the information it processes, stores or communicates by accrediting the system before being put into operation.
Accreditation of a system ensures that either sufficient security measures have been put in place or that deficiencies in such measures have been accepted by an appropriate authority. An accreditation authority awards approval to operate the system and is typically the agency head or at least a senior executive who has an appropriate level of understanding of the risks they are accepting on behalf of the agency. The exception is for TOP SECRET systems, for which ASD is the accreditation authority.
References
Policy and Procedures for the Information Security Registered Assessor Program contains a definition of the range of activities Information Security Registered Assessors are authorised to perform. It can be obtained from ASD’s website at www.asd.gov.au/infosec/irap.htm.
PRIN CIPLES : I NFO RMATION S ECU RITY M ONITORING
Information Security Monitoring
Rationale
Information security is a continual process, one that extends beyond ensuring that a system is secure at the time of deployment. vulnerabilities can be introduced into a system through poor design, planning, implementation, change management or maintenance, as well as through changes in technology or attack vectors. Unmitigated vulnerabilities provide the means for a malicious actor to compromise systems and information.
Information security monitoring practices can help ensure that new vulnerabilities are addressed and security is maintained through unforeseen events and changes, whether internal to the system or in the system’s operating environment. Such practices allow agencies to be proactive in identifying, prioritising and responding to risks. Measures to monitor and manage vulnerabilities in, and changes to, a system can provide an agency with valuable information about its level of exposure to threats, as well as assisting agencies in keeping up to date with industry and product advances.8
Scope
This chapter describes the importance of vulnerability management activities and robust change management processes.
Principles
1. Vulnerability Management
Maintain the security posture of systems by implementing appropriate vulnerability management practices.
vulnerability management activities, such as regular vulnerability assessments, analysis and mitigation, assist in maintaining system security as threat environments change over time. vulnerability assessments allow agencies to identify security weaknesses caused by misconfigurations, bugs or flaws. Once a vulnerability is detected, an agency is able to determine a way forward through vulnerability analysis, assessing the vulnerability’s potential impact and available mitigation strategies. vulnerability mitigation is the process of applying the chosen mitigations in an effective and timely manner in order to eliminate or minimise the risk.
8 Auditor General of Western Australia, Information Systems Audit Report (Report 4), June 2011.
During a 2011 information systems audit, 14 out of 15 Western Australian government agencies failed to detect, prevent or respond to suspicious scans of their Internet sites seeking to identify security weaknesses.9
D
ID Y
O
U K
N
O
W
?
During a 2011 information systems audit, 14 out of 15 Western Australian government agencies failed to detect, prevent or respond to suspicious scans of their Internet sites seeking to identify security weaknesses.9D
ID Y
O
U K
N
O
W
?
P RINCIPLES: I N FORMATI ON S ECURITY M ONITORING
2. Change Management
Ensure an agency’s approved security risk threshold is maintained when implementing system changes by applying appropriate change management processes.
Implementing changes to a system can impact upon its overall risk. A sound change management process ensures changes are made in an accountable manner with due consideration and with appropriate approval.
It also provides agencies with the opportunity to, if necessary, initiate a reaccreditation process or apply vulnerability management practices, minimising the risk of system security degrading over time.
References
Nil.PRIN CIPLES : C Y BER S ECURITY I NCID E NTS
Cyber Security Incidents
Rationale
Cyber security incidents have the potential to cause significant damage to agency business functions or to the broader government and can result in financial loss, loss of customer confidence and negatively impact the reputation of an agency or government.
Agencies can lessen the impact, and the immediate and long term response costs, of a cyber security incident by investing in effective measures to detect, prevent, report and manage cyber security incidents. Such measures can help identify gaps in information security policies and procedures, and assist in the development of additional measures required to prevent future incidents occurring.
The development of a robust cyber security incident management and response plan positions an agency to detect threats and respond swiftly and appropriately in the event of a cyber security incident. Having sound and up to date knowledge of the affected system will enable an agency to quickly identify the cause and extent of the incident and restore the system to an operational and secure state as soon as possible.9
Additionally, actively monitoring the cyber security threat environment and actioning advice provided by ASD will assist in evolving agency understanding of the cyber threat and help inform agency incident
response planning.
Users of an agency system should be considered an important and integrated element of any agency’s cyber security detection and response strategy. Many potential cyber security incidents are noticed by users before security staff are alerted by technical measures. For this to happen, users must receive training on information security, including how to recognise and respond to potential cyber incidents, and be provided with a process to report any observed or suspected security incidents. In addition, users need to be aware of how to respond to incidents in an appropriate manner. This can assist an agency in recording all cyber security incidents—particularly those which a security manager or system owner fail to notice—as well as ensuring that any digital evidence relating to an incident is managed so that it remains accessible and usable for as long as it is needed. This includes ensuring that metadata about the digital records, who used them, and how they were used is retained.
Scope
This chapter describes the detection, reporting and management of cyber security incidents.
9 Ponemon Institute, 2011 Cost of a Data Breach Australia, 2012.
22 Australian companies in a 2011 study lost between 3,200 and 65,000 individual records from data breach incidents, with an average organisation cost per breach of $2.16 million.10
D
ID Y
O
U K
N
O
W
?
22 Australian companies in a 2011 study lost between 3,200 and 65,000 individual records from data breach incidents, with an average organisation cost per breach of $2.16 million.10D
ID Y
O
U K
N
O
W
?
PR IN CIPLES : C YBER S ECURITY I NCIDENTS
Principles
1. Detection
Reduce the impact and time taken to resolve cyber security incidents by
implementing proper procedures and appropriately configured technical measures. Early cyber security incident detection allows for early response and resolution. Detection tools and procedures work to mitigate the most common methods of attack used to exploit systems. Measures for detecting cyber security incidents include intrusion detection strategies, malicious code countermeasures, audit analysis and system integrity checking. However, automated tools are only as good as the analysis they provide. If tools are not adequately configured to assess potential security risks then it will not be evident when a weakness emerges. Additionally, regular updates to detection tools to include new known vulnerabilities will help avoid a degradation in their effectiveness over time.
2. Reporting
Maintain an up to date and accurate understanding of the cyber threat environment specific to your network and contribute to the overall cyber threat picture by implementing internal and external cyber reporting procedures.
Robust measures for reporting cyber security incidents can provide management with a means to assess the overall damage to a system and to take remedial action, including seeking advice from ASD if necessary.10
The ASD–established Cyber Security Incident Reporting Scheme assists in maintaining an accurate threat environment picture for systems across government. ASD uses cyber security incident reports as the basis for recognising trends, identifying and responding to incidents, and for developing new policies, procedures, techniques and training to prevent the recurrence of similar incidents across government. Reporting cyber security incidents to ASD through the appropriate channels ensures proper and timely assistance can be provided. Reporting any cyber security incident involving the loss or misuse of cryptographic keying material is critical, as system users rely on this technology for the confidentiality and integrity of their secure communications.
3. Management
Enable necessary information to be retained to resolve current, or mitigate future, cyber security incidents by implementing appropriate management procedures. Proper management of cyber security incidents—such as recording incidents, designating responsibilities, handling and containing data spills and malicious code infections, and securing the integrity of evidence—can help resolve current and prevent future occurrences. Recording cyber security incidents can highlight the nature and frequency of incidents, to assist in taking corrective action and informing future risk assessments for systems.
85% of data breaches in 2011 took weeks or more to discover. In fact, over half of the breaches took months to discover.11
D
ID Y
O
U K
N
O
W
?
85% of data breaches in 2011 took weeks or more to discover. In fact, over half of the breaches took months to discover.11D
ID Y
O
U K
N
O
W
?
PRIN CIPLES : C Y BER S ECURITY I NCID E NTS
Using the information gained during an incident can better prepare an agency for handling future incidents and provide stronger protection for systems and information. Maintaining the integrity of evidence—such as logs, audit trails and other detection tool outputs—after an incident ensures better assistance can be provided. Protecting digital evidence is not only important for investigations leading to criminal prosecution, but is vital to ASD when responding to and investigating cyber security incidents. Moreover, agencies are required under the Archives Act 1983 to retain records such as event logs and audit trails for specific minimum periods.
References
Further information on minimum retention periods for Commonwealth records is provided in the National Archives of Australia’s Administrative Functions Disposal Authority, which can be found at
PRINCIP LES : P HYSI CA L S ECURITY
Physical Security
Rationale
Physical security is fundamental to all security efforts. Without adequate physical security controls, all other information security measures are considerably more difficult, if not impossible, to initiate. Physical security requires that equipment and infrastructure be safeguarded in a way that minimises the risk of resource theft, destruction or tampering, for example by limiting access to areas housing network infrastructure.
Physical security can not only assist in preventing malicious damage, but also reduces the risk of accidents and
inadvertent errors affecting a system.
A single layer of physical security, such as an identification pass that allows building access, is insufficient to mitigate the risk of compromise. A layered approach to physical security works to progressively limit access to systems and infrastructure to authorised personnel only, and prevent a shortfall in one security layer from leading to a wider, more serious failure. This is a practical example of the defence– in–depth concept being applied to the information security space. As an example of a layered approach, an agency could require identification passes for building access as well as targeted swipe access to specific rooms which accommodate lockable containers for storing information or equipment.11
Scope
This chapter outlines the physical security requirements for ICT systems and should be read in conjunction with the physical security components of the Australian Government Protective Security Policy Framework.
Principles
1. Physical Security for Systems
Limit access to facilities, servers, network devices, ICT equipment and media to authorised personnel only by applying appropriate physical security controls in accordance with the Australian Government Protective Security Policy Framework. The application of defence–in–depth to the protection of systems is enhanced through the use of successive layers of physical security, designed to limit access to those with the need and appropriate authorisation to access facilities, systems, network infrastructure, ICT equipment and media. 30% of IT professionals interviewed in Australia had encountered issues with people having unauthorised physical and network access.12
D
ID Y
O
U K
N
O
W
?
30% of IT professionals interviewed in Australia had encountered issues with people having unauthorised physical and network access.12D
ID Y
O
U K
N
O
W
?
PRIN CIPLES : P HY SICAL S E CURI TY
References
Physical security requirements and guidance can be found in the Australian Government Protective Security Policy Framework available at www.protectivesecurity.gov.au.
In addition, the Security Equipment Catalogue, produced by the Security Construction and Equipment Committee (SCEC), provides a list of security products and vendor contact details.
PRINCIP LES : P ERSONNEL S ECURITY
Personnel Security
Rationale
Personnel security refers to measures which work to manage the risk of a trusted insider using their legitimate access to an agency’s facilities, assets, systems or people for illicit gain or to cause harm, whether intentional or inadvertent. Implementing a personnel security framework assists agencies in identifying any ‘inside threats’ they could confront, and provides the tools to manage the associated risks.
Personnel security is about being educated, informed and proactive. By accessing an agency’s information systems, employees are able to identify and understand procedures and vulnerabilities, and know how and when they can be exploited. Legitimate access can be abused or poor access controls can be manipulated to gain unauthorised access. Together with an intent to commit theft, sabotage or to disclose sensitive or classified information, an employee can cause significant damage to an agency’s reputation, operations, productivity or finances. Appointing suitable and trustworthy personnel to operate, maintain and access information systems creates the first line of defence in an agency’s security posture. On the other hand, personnel can cause unintentional harm if they are unaware of their security responsibilities and role in protecting an agency’s systems and information. If policies are to be successful in preventing the compromise or unauthorised disclosure of information, they need to be adopted and practiced by all agency personnel on a daily basis. For example, social engineering campaigns aim to exploit weaknesses in personal judgment and decision– making to compromise or gain access to an agency’s system or information. Fostering a culture of security awareness and responsibility through effective training and awareness programs is vital in ensuring individuals make the security decisions expected of them.
Scope
This chapter describes information security awareness and training for personnel, and the responsibilities of personnel using Internet services.
Principles
1. Information Security Awareness and Training
Foster an effective security culture within an agency by providing all personnel with ongoing information security awareness and training, tailored to system user roles and responsibilities.
Fostering an effective security culture through tailored education plays a major role in protecting agency systems and information from attack or compromise. Information security awareness and training programs can educate system users, security practitioners and senior decision–makers on the cyber threat environment, as well as generate support for agency security requirements and familiarise users with their roles and responsibilities. The degree and content of the programs will depend on the objectives of the agency, as well as the
PRIN CIPLES : P ERSONNEL S E CURI TY
2. Using the Internet
Ensure personnel are able to use Internet services in a responsible, accountable and security conscious manner by adopting effective usage policies and controls.
Some Internet services, such as public web–based email and peer–to–peer applications, can allow personnel to bypass security measures that agencies have put in place to protect their systems. For example, when personnel receive files via peer–to–peer file–sharing applications, instant messaging or chat, they are often able to evade established security measures for detecting and quarantining malicious code. Further, some peer–to–peer voice over Internet Protocol (voIP) applications, such as Skype, use protocols which bypass firewalls, creating a vulnerable access point into the system. Public web–based email can be easily exploited as a backdoor entry route for malware.12
Agency staff need to be aware that any personal information they post on websites could be used to inform phishing scams, or to develop a detailed profile of their life and hobbies in order to build a trust relationship with them or associates. The relationship could then be used to elicit government information from them or implant malware on systems by inducing them to, for example, open emails or visit websites with malicious content. Even unclassified information that appears to be benign in isolation could, when combined with other
information, have a considerable security impact.
Agencies can help to facilitate secure use of the Internet by implementing measures that ensure Internet services and applications available to personnel are appropriately scanned for malicious code and subject to inspection by intrusion detection systems.
References
For all other guidance on personnel security requirements, please refer to the Australian Government Personnel Security Core Policy and the Australian Government Personnel Security Management Protocol of the Australian Government Protective Security Policy Framework, which can be found at www.protectivesecurity.gov.au.
For information on the personnel security threat environment, please refer to The Insider Threat to Business – A personnel security handbook, as released by the Attorney-General’s Department. This can be found under the ‘Security’ heading at
www.tisn.gov.au/Pages/Publications-by-topic.aspx.
Information on the policy and regulations governing the disclosure and use of government information by personnel can be found in the Managing Official Information section of APS values and Code of Conduct in Practice, located at
www.apsc.gov.au/publications-and-media/current-publications/aps-values-and-code-of-conduct-in-practice.
12 Sophos, Security Threat Report 2012 — Seeing the Threats Through the Hype, 2012.
85% of all malicious software— including viruses, worms, spyware, adware and Trojans—comes from the web.13
