Documente Academic
Documente Profesional
Documente Cultură
Australian Government
Information Security Manual
PRINCIPLES
2014
Australian Government
Information Security Manual
PRINCIPLES
The details of the relevant licence conditions are available on the Creative Commons website as is the full legal
code for the CC BY 3.0 AU licence.
http://creativecommons.org/licenses/by/3.0/au/deed.en
http://creativecommons.org/licenses/by/3.0/legalcode
Use of the Coat of Arms
The terms under which the Coat of Arms can be used are detailed on the Department of the Prime Minister and
Cabinets website.
http://www.dpmc.gov.au/guidelines/index.cfm
Contact us
Inquiries regarding the licence and any use of this document are welcome at:
Australian Signals Directorate
PO Box 5076
Kingston ACT 2604
1300 CYBER1 (1300 292 371)
asd.assist@defence.gov.au
FOREWORD
Foreword
In recent years, the Australian Government has made great advances in bringing its business
online. The benefits of government information and communications technology (ICT) systems
and services becoming increasingly connected will continue as the government makes the
most of new technologies. However, this new, connected way of doing business also creates
opportunities for adversaries to gain an advantage by exploiting these technologies to access
information of national importance.
As our intrusion detection, response, mitigation and threat assessment capabilities continue to
improve, so too do the skills of cyber threat actors. This requires us to be vigilant, flexible and
proactive in our approach to cyber and information security.
A strong security is not a trivial process it requires ongoing vigilance and resources. By
continually hardening our defences, we have a greater chance of protecting the information
entrusted to us.
The Australian Government Information Security Manual (ISM) comprises three complementary
documents designed to provide greater accessibility and understanding at all levels of
government. This Principles document details the guiding principles and rationale to assist
senior decision makers in developing informed riskbased information security policies within
their organisations.
I commend you on your agencys efforts to strengthen your cyber and information security
and trust youll continue to keep security as an agency priority.
Dr Paul Taloni
Director
Australian Signals Directorate
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
iii
iv
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
CONTENTS
Contents
Foreword iii
INFORMATION SECURITY: COUNTERING THE THREAT
ASDs Role
10
PRINCIPLES 11
Information Security Risk Management
12
14
15
17
System Accreditation
19
22
24
Physical Security
27
Personnel Security
29
Communications Infrastructure
31
35
Product Security
37
Media Security
39
Software Security
42
Email Security
45
Access Control
47
Secure Administration
49
Cryptography 50
Network Security
52
55
56
Working OffSite
57
SUPPORTING INFORMATION
61
Glossary of Terms
63
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
INFORMATION
SECURITY:
COUNTERING
THE THREAT
1
I N F O R M AT I O N S E C U R I TY: C O U N T E R I N G T H E T H R E AT
DID YOU K N O W ?
D I D Y O U NOW?
Advances in information and communications technology (ICT) are allowing for greater
accessibility, mobility, convenience, efficiency and productivity across almost all aspects of
Australian life. Australias national security, economic prosperity and social wellbeing now
depend on ICT, and the Internet in particular. The security of sensitive government and
commercial information, the security of our digital infrastructure, and public and international
confidence in Australia as a safe place to do business online are critical to our future.
In 2012 there
were 74,000
new unique
malicious web
domains.1
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
I N F O R M AT I O N S E C U R I TY: C O U N T E R I N G T H E T H R E AT
DID YOU K N O W ?
D I D Y O U NOW?
Actors
The Australian Signals Directorate (ASD), through the Cyber Security Operations Centre
(CSOC), communicates key assessments to government regarding the actors and trends
observed in the Australian cyber threat environment.
Users
DID YOU K N O W ?
D I D Y O U NOW?
Cyber exploitation and cyber crime are unintentionally enabled by everyday users at home,
at work or on mobile computing devices. Many users still assume that responsibility for
information security rests with the organisations with which they interact, such as banks
and online retailers. However, even the best technical security measures can be defeated
by inappropriate user behaviour. Some users, in particular individuals and small businesses,
are more vulnerable due to a general lack of awareness of cyber threats and relatively low
resources devoted to information security.
In 2012, more
than 80% of the
threats observed
by Sophos were
redirects, mostly
from legitimate
sites that had
been hacked.3
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
I N F O R M AT I O N S E C U R I TY: C O U N T E R I N G T H E T H R E AT
Malicious Actors
DID YOU K N O W ?
D I D Y O U NOW?
Statesponsored actors work on behalf of a foreign entity and are the most active
malicious adversaries ASD has observed. They are also the most sophisticated and best
resourced adversaries. Statesponsored actors seek national security information to identify
vulnerabilities in our capabilities or to gain a strategic advantage. However, malicious activity
often has an economic focus, with targeting of Australias commercial sectors (for example,
the resources, banking and telecommunications sectors) also prevalent.
DID YOU K N O W ?
D I D Y O U NOW?
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
I N F O R M AT I O N S E C U R I TY: C O U N T E R I N G T H E T H R E AT
Cyber criminals are following legitimate businesses online to create new opportunities for
profit. The nature of the Internetborderless, anonymous, easily accessible and holding high
volumes of financial, commercial and personal informationhas boosted the incentives for
committing cyber crime and allowed its organisation to become more audacious, efficient
and effective.
A prolific and increasingly professional underground market of malicious cyber tools and
services exists on the Internet. This market includes the sale or hire of criminal malware and
botnets, guidance, recruitment and trading in stolen information such as credit card details
and intellectual property.
Criminals are becoming less content with simple, indiscriminate spam and fraud attempts, and
are developing sophisticated, customised malware that targets emerging technologies, social
media and mobile computing devices. The last few years have also seen a proliferation of
targetspecific malware aimed at, for example, particular banks, types of ATMs and
financial exchanges.
Conclusion
The incentives for, and capability to conduct, malicious activity in cyberspace will be enhanced
by a combination of observed trends.
Motivation is increasing. Australias increasing reliance on the Internet is leading to
more highvalue information being stored and communicated on Australian government and
commercial networks. This is boosting the incentive to undertake cyber crime or exploitation
for direct monetary profit or indirect economic and political advantage.
Capability is easier to acquire. Acquiring a cyber capability is becoming easier with
increasingly sophisticated tools, information, and guidance readily available online.
New technologies will generate new vulnerabilities. The proliferation of new
technologies will increase the number of potential vulnerabilities. Of note, the growth in cloud
computing and expanding use of mobile computing devices, such as smartphones, laptops
and tablet computers, will generate more platformswith distinct software, settings and
applicationsand more users to exploit.
The spectrum of malicious actors is expanding. The ease of acquiring a cyber capability
coupled with the potential high gainswhether financial, economic, diplomatic or politicalis
enticing more actors into malicious cyber activity.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
I N F O R M AT I O N S E C U R I TY: C O U N T E R I N G T H E T H R E AT
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
I N F O R M AT I O N S E C U R I TY: C O U N T E R I N G T H E T H R E AT
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
I N F O R M AT I O N S E C U R I TY: C O U N T E R I N G T H E T H R E AT
Format
The ISM is comprised of a high level principles based document and a detailed Controls
manual, further complemented by an Executive Companion. This format is designed to be
more accessible to a wider audience across all levels of government to improve awareness of
information security issues.
This product suite targets different areas of your agency to ensure that key decision makers
across government are made aware of and involved in countering threats to their information
and ICT systems.
Executive
Companion
Information Security
Principles
Information Security
Controls
Device Specific Guides
Protect Publications
Australian Communication Security Instructions
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
I N F O R M AT I O N S E C U R I TY: C O U N T E R I N G T H E T H R E AT
These products are designed to complement each other and provide agencies with the
necessary information to make informed decisions based on their own business requirements,
specific circumstances and risk appetite.
The Executive Companion is targeted towards the most senior executives in each agency,
such as Deputy Secretaries, Secretaries and Chief Executive Officers, and comprises broader
strategic messaging about key information security issues.
The Principles document is aimed at Security Executives, Chief Information Security Officers,
Chief Information Officers and senior decision makers across government and focuses on
providing agencies with a better understanding of the cyber threat environment and rationale
to assist agencies in developing informed information security policies within
their organisations.
The Controls manual is aimed at IT Security Advisors, IT Security Managers and security
practitioners across government. This manual provides a set of detailed controls that, when
implemented, will help agencies adhere to the higher level Principles document.
ASD information security policies and guidance produced in addition to this manual may
address device and scenariospecific security risks to government information and systems.
Not all ISM requirements can be implemented on all devices or in all environments. Where
stipulated, these take precedence over the platform nonspecific advice in this manual.
ASD produces information security policies and guidance in addition to this manual, such as
Australian Communications Security Instructions (ACSI), consumer guides, hardening guides
and Protect publications.
Compliance
The ISM provides agencies with a set of detailed controls that can be implemented to mitigate
risks to their information and systems. Agencies are encouraged to make informed, riskbased
decisions specific to their unique environments, circumstances and risk appetite.
There are two categories of compliance associated with the controls in this manualmust
and should. These compliance requirements are determined according to the degree of
security risk an agency will be accepting by not implementing the associated control. ASDs
assessment of whether a control is a must or a should is based on ASDs experience in
providing cyber and information security advice and assistance to the Australian government
and reflect what ASD assesses the risk level to be. Agencies may have differing risk
environments and requirements, and may have other mitigations in place to reduce the
residual risk to an acceptable level.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
I N F O R M AT I O N S E C U R I TY: C O U N T E R I N G T H E T H R E AT
ASDs Role
What ASD can do for you
As directed by the Intelligence Services Act 2001, ASD provides foreign signals intelligence
as well as advice and assistance on matters relating to the security and integrity of electronic
information. These twin missions complement each other, with the skillsets and capabilities
required to be an expert at one being precisely those required to master the other. It is the
same reasoning why Australias signals intelligence and information security functions were co
located in the Defence Signals Bureauthe forerunner of ASDmore than 60 years ago.
As the Commonwealth authority on information security, and informed by its signals
intelligence expertise and capabilities, ASD can provide agencies with advice and assistance
as well as further information on the cyber threat. ASD conducts a number of workshops
and forums with IT Security Advisors throughout the year to facilitate open discussion on
countering the cyber threat. These discussions focus on the challenges faced by Australian
government agencies in protecting their information and systems.
The CSOC, located in ASD, provides coordinated operational responses to cyber security
incidents of national importance. The CSOC is a resource designed to serve all government
agencies and has embedded representation from the Australian Defence Force, Defence
Intelligence Organisation, Australian Security Intelligence Organisation, Australian Federal
Police and CERT Australia.
Contact
For all urgent and operational enquiries:
Phone 1300 CYBER1 (1300 292 371) and select 1 at any time.
Fill out a cyber security incident report form on the OnSecure website
(www.onsecure.gov.au).
For all nonurgent and general enquiries:
Phone 1300 CYBER1 (1300 292 371) and select 2 at any time.
Use the Advice and Assistance form on the OnSecure website. Australian Government
sponsored customers who do not have an OnSecure account should apply for one.
Email: asd.assist@defence.gov.au.
10
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
PRINCIPLES
11
Principles
Information Security Risk Management
Rationale
Risk management is the process of identifying risk, assessing risk, and taking steps to reduce
risk to an acceptable level.
The ISM is designed as a tool to assist Australian government agencies to riskmanage
the protection of their information and systems. It represents best practice in mitigating or
minimising the threat to Australian government systems. However, there is no onesizefitsall
approach to information security. Taking a risk management approach to information security
provides agencies with the flexibility to allow for differences in their environment when making
security decisions. Agencies will have different security requirements, business needs and risk
appetites from one another. It may not be possible or appropriate for an agency to implement
all security controls included in the Controls manual.
Information security risk management requires agencies to understand the security risks they
face, to make informed decisions when using technology. Understanding the risk environment
specific to your agency will also enable greater flexibility and adaptability in responding to
changes to that environment as the threat landscape evolves.
Scope
This chapter describes the expectations on Australian government agencies in taking a risk
management approach to information security.
Principles
1.
12
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
2.
References
Further information on risk management and protective security requirements can be found in
the Australian Government Protective Security Policy Framework, available at
www.protectivesecurity.gov.au.
For further guidance please refer to the Australian Standard for Risk Management AS/NZS
ISO 31000:2009, the Australian Standards HB 167:2006 Security risk management and HB
327:2010 Communicating and consulting about risk.
The Protective Security Training College, managed by the AttorneyGenerals Department,
provides formal training opportunities on the subject of security risk management:
www.ag.gov.au/NationalSecurity/ProtectiveSecurityTraining/Pages/default.aspx.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
13
DID YOU K N O W ?
D I D Y O U NOW?
Rationale
The leadership of a
Chief Information
Security Officer or
equivalent position
can substantially
reduce the overall
cost of data
breaches.6
Scope
This chapter describes roles and responsibilities concerning information security.
Principles
1.
Visibility
Accountability
Probity
References
Nil.
6 Ponemon Institute, 2009 Annual Study: Cost of a Data Breach Understanding Financial Impact,
Customer Turnover and Preventative Solutions, 2010.
14
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
DID YOU K N O W ?
D I D Y O U NOW?
Scope
This chapter provides information on outsourcing information technology services and
functions to industry, as well as providing them with access to information in order to
undertake their duties.
Principles
1.
15
References
Additional information regarding cloud computing security considerations can be found on the
ASD website at www.asd.gov.au/infosec/cloudsecurity.htm.
The Australian Government Information Management Office (AGIMO) is the lead agency for
wholeof government policy on cloud computing. Relevant documentation can be found at
www.finance.gov.au/cloud/.
The AttorneyGenerals Departments Australian Government Policy and Risk management
guidelines for the storage and processing of Australian Government information in outsourced
or offshore ICT arrangements can be found at
www.protectivesecurity.gov.au/informationsecurity/Pages/Supporting-guidelines-toinformation-security-(including-the-classification-system).aspx.
Better practice guidance developed by the AttorneyGenerals Department can be found in
Security of Outsourced Services and Functions at www.protectivesecurity.gov.au.
16
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
DID YOU K N O W ?
D I D Y O U NOW?
To avoid confusion and ensure information security policy and procedures are properly applied,
it is essential that all documents work in concert with, and not contradict, each other. Clear
and logical wording will ensure the documents are easy to use and, consequently, effective.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
17
The cyber threat environment is dynamicso too are agency business requirements. If an
agency fails to keep its information security documentation current through regular reviews
to reflect the changing environment, their security measures and processes may cease
to be effective. In that situation, resources could be devoted to areas that have reduced
effectiveness, or are no longer relevant.
Scope
This chapter describes the development of information security documentation for systems.
Principles
1.
References
Information on the development of security risk management plans can be found in the
Information Security Risk Management Guidelines available from Standards Australia at
www.standards.org.au.
Information relating to the Information Security Management Framework is contained in
the Australian Government Information Security Management Protocol of the Australian
Government Protective Security Policy Framework, which can be found at
www.protectivesecurity.gov.au.
18
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
System Accreditation
Rationale
Accreditation is the process by which an appropriate authority formally recognises and accepts
that residual risks on a system are appropriate for the classification of the information that it
processes, stores or communicates. Agencies must accredit all systems before they can be put
into operation. Accreditation provides agencies with assurance that either sufficient security
measures have been put in place on their systems or deficiencies in such measures have
been accepted by an appropriate authority. The following diagram shows, at a high level, the
process of accreditation:
System Owner
Accreditation
Authority
Certification
Authority
Assessor
Requests
accreditation
Requests
reaccreditation
Requests
certification
Requests audit
Conducts first
stage audit
Implements
controls
Conducts second
stage audit
Assess audit
report and
residual risk
Awards
certification
Assesses
certification report
Assesses residual
risk and other
factors
Awards
accreditation
Operates system
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
19
The accreditation process does not only apply to new systems. It is important that systems are
reaccredited as the information technology and cyber threat environments continue to evolve.
Performing regular accreditation facilitates understanding of a current system's security
environment and provides assurance that information systems are of a standard that meet
the agencys security requirements. Once a system has been accredited, conducting continual
monitoring activities will assist in assessing changes to its environment and operation to
determine the implications for the risk profile and accreditation status of the system.
When accrediting a system, it is also important to remain aware of legislative and policy
requirements if a system is connecting to another party. Agencies should ensure they are
aware of the security measures the other party has implemented to protect their information,
and accept any risks associated with connecting to such systems. Further, it is vital that
Australian citizens maintain control of systems that process, store and communicate Australian
Eyes Only (AUSTEO) and Australian Government Access Only (AGAO) information.
Scope
This chapter describes the accreditation framework for systems and agencies responsibilities.
Principles
1.
Accreditation Framework
Conducting Audits
Conducting Certifications
Independently verify the integrity and accept the outcome of an audit by certifying
a system as part of the accreditation framework.
20
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
Certification provides the accreditation authority with information on the security posture of
a system. This allows the accreditation authority to make an informed decision on whether
the residual risk of allowing the system to operate is acceptable. The certification authority is
typically the officer responsible for overseeing information technology security management
across the agency. However, ASD acts as the certification authority in the case of TOP
SECRET systems.
Certification for a system will be awarded once a certification authority is satisfied that the
system has been appropriately audited and the controls identified by the system owner have
been implemented and are operating effectively. The certification authority can then make a
recommendation to the accreditation authority on whether to award accreditation or not based
on an assessment of the residual risk relating to the operation of the system.
4.
Conducting Accreditations
Accept that the residual security risks on an agency system are appropriate for the
information it processes, stores or communicates by accrediting the system before
being put into operation.
Accreditation of a system ensures that either sufficient security measures have been put in
place or that deficiencies in such measures have been accepted by an appropriate authority.
An accreditation authority awards approval to operate the system and is typically the agency
head or at least a senior executive who has an appropriate level of understanding of the risks
they are accepting on behalf of the agency. The exception is for TOP SECRET systems, for
which ASD is the accreditation authority.
References
Policy and Procedures for the Information Security Registered Assessor Program contains a
definition of the range of activities Information Security Registered Assessors are authorised to
perform. It can be obtained from ASDs website at www.asd.gov.au/infosec/irap.htm.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
21
DID YOU K N O W ?
D I D Y O U NOW?
Information security is a continual process, one that extends beyond ensuring that a system is
secure at the time of deployment. Vulnerabilities can be introduced into a system through poor
design, planning, implementation, change management or maintenance, as well as through
changes in technology or attack vectors. Unmitigated vulnerabilities provide the means for a
malicious actor to compromise systems and information.
Scope
This chapter describes the importance of vulnerability management activities and robust
change management processes.
Principles
1.
Vulnerability Management
9 Auditor General of Western Australia, Information Systems Audit Report (Report 4), June 2011.
22
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
2.
Change Management
References
Nil.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
23
DID YOU K N O W ?
D I D Y O U NOW?
Agencies can lessen the impact, and the immediate and long term response costs, of a cyber
security incident by investing in effective measures to detect, prevent, report and manage
cyber security incidents. Such measures can help identify gaps in information security policies
and procedures, and assist in the development of additional measures required to prevent
future incidents occurring.
22 Australian
companies in a 2011
study lost between
3,200 and 65,000
individual records from
data breach incidents,
with an average
organisation cost
per breach of $2.16
million.10
Scope
This chapter describes the detection, reporting and management of cyber security incidents.
24
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
Principles
1.
Detection
Reduce the impact and time taken to resolve cyber security incidents by
implementing proper procedures and appropriately configured technical measures.
Early cyber security incident detection allows for early response and resolution. Detection tools
and procedures work to mitigate the most common methods of attack used to exploit systems.
Measures for detecting cyber security incidents include intrusion detection strategies, malicious
code countermeasures, audit analysis and system integrity checking. However, automated
tools are only as good as the analysis they provide. If tools are not adequately configured
to assess potential security risks then it will not be evident when a weakness emerges.
Additionally, regular updates to detection tools to include new known vulnerabilities will help
avoid a degradation in their effectiveness over time.
2.
Reporting
DID YOU K N O W ?
D I D Y O U NOW?
85% of data
breaches in 2011
took weeks or
more to discover.
In fact, over half
of the breaches
took months to
discover.11
Management
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
25
Using the information gained during an incident can better prepare an agency for handling
future incidents and provide stronger protection for systems and information. Maintaining
the integrity of evidencesuch as logs, audit trails and other detection tool outputsafter
an incident ensures better assistance can be provided. Protecting digital evidence is not
only important for investigations leading to criminal prosecution, but is vital to ASD when
responding to and investigating cyber security incidents. Moreover, agencies are required
under the Archives Act 1983 to retain records such as event logs and audit trails for specific
minimum periods.
References
Further information on minimum retention periods for Commonwealth records is provided in
the National Archives of Australias Administrative Functions Disposal Authority, which can be
found at
www.naa.gov.au/records-management/agency/keep-destroy-transfer/agency-ra/index.aspx.
26
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
Physical Security
Rationale
DID YOU K N O W ?
D I D Y O U NOW?
Physical security is fundamental to all security efforts. Without adequate physical security
controls, all other information security measures are considerably more difficult, if not
impossible, to initiate. Physical security requires that equipment and infrastructure be
safeguarded in a way that minimises the risk of resource theft, destruction or tampering, for
example by limiting access to areas housing network infrastructure.
30% of IT
professionals
interviewed in
Australia had
encountered issues
with people having
unauthorised
physical and
network access.12
Scope
This chapter outlines the physical security requirements for ICT systems and should be read
in conjunction with the physical security components of the Australian Government Protective
Security Policy Framework.
Principles
1.
Limit access to facilities, servers, network devices, ICT equipment and media to
authorised personnel only by applying appropriate physical security controls in
accordance with the Australian Government Protective Security Policy Framework.
The application of defenceindepth to the protection of systems is enhanced through the use
of successive layers of physical security, designed to limit access to those with the need and
appropriate authorisation to access facilities, systems, network infrastructure, ICT equipment
and media.
12 CISCO, Data Leakage Worldwide: Common Risks and Mistakes Employees Make, 2008.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
27
References
Physical security requirements and guidance can be found in the Australian Government
Protective Security Policy Framework available at www.protectivesecurity.gov.au.
In addition, the Security Equipment Catalogue, produced by the Security Construction and
Equipment Committee (SCEC), provides a list of security products and vendor contact details.
28
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
Personnel Security
Rationale
Personnel security refers to measures which work to manage the risk of a trusted insider using
their legitimate access to an agencys facilities, assets, systems or people for illicit gain or to
cause harm, whether intentional or inadvertent. Implementing a personnel security framework
assists agencies in identifying any inside threats they could confront, and provides the tools
to manage the associated risks.
Personnel security is about being educated, informed and proactive. By accessing an
agencys information systems, employees are able to identify and understand procedures
and vulnerabilities, and know how and when they can be exploited. Legitimate access can be
abused or poor access controls can be manipulated to gain unauthorised access. Together
with an intent to commit theft, sabotage or to disclose sensitive or classified information, an
employee can cause significant damage to an agencys reputation, operations, productivity
or finances. Appointing suitable and trustworthy personnel to operate, maintain and access
information systems creates the first line of defence in an agencys security posture.
On the other hand, personnel can cause unintentional harm if they are unaware of their
security responsibilities and role in protecting an agencys systems and information. If policies
are to be successful in preventing the compromise or unauthorised disclosure of information,
they need to be adopted and practiced by all agency personnel on a daily basis. For example,
social engineering campaigns aim to exploit weaknesses in personal judgment and decision
making to compromise or gain access to an agencys system or information. Fostering a
culture of security awareness and responsibility through effective training and awareness
programs is vital in ensuring individuals make the security decisions expected of them.
Scope
This chapter describes information security awareness and training for personnel, and the
responsibilities of personnel using Internet services.
Principles
1.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
29
2.
DID YOU K N O W ?
D I D Y O U NOW?
85% of all
malicious
software
including viruses,
worms, spyware,
adware and
Trojanscomes
from the web.13
Agency staff need to be aware that any personal information they post on websites could
be used to inform phishing scams, or to develop a detailed profile of their life and hobbies
in order to build a trust relationship with them or associates. The relationship could then be
used to elicit government information from them or implant malware on systems by inducing
them to, for example, open emails or visit websites with malicious content. Even unclassified
information that appears to be benign in isolation could, when combined with other
information, have a considerable security impact.
Agencies can help to facilitate secure use of the Internet by implementing measures that
ensure Internet services and applications available to personnel are appropriately scanned for
malicious code and subject to inspection by intrusion detection systems.
References
For all other guidance on personnel security requirements, please refer to the Australian
Government Personnel Security Core Policy and the Australian Government Personnel Security
Management Protocol of the Australian Government Protective Security Policy Framework,
which can be found at www.protectivesecurity.gov.au.
For information on the personnel security threat environment, please refer to The Insider
Threat to Business A personnel security handbook, as released by the AttorneyGenerals
Department. This can be found under the Security heading at
www.tisn.gov.au/Pages/Publications-by-topic.aspx.
Information on the policy and regulations governing the disclosure and use of government
information by personnel can be found in the Managing Official Information section of APS
Values and Code of Conduct in Practice, located at
www.apsc.gov.au/publications-and-media/current-publications/aps-values-and-code-ofconduct-in-practice.
13 Sophos, Security Threat Report 2012 Seeing the Threats Through the Hype, 2012.
30
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
Communications Infrastructure
Rationale
With the proliferation of system connections across government, a robust cable management
regime can help agencies maintain the integrity and availability of their communications
infrastructure and the confidentiality and integrity of their information. Proper cable
management can minimise the likelihood of unauthorised personnel inadvertently or
deliberately accessing system cables. Laying cables in a controlled manner and ensuring
they are appropriately labelled, separated and accessible for visual inspection can help
detect any covert tampering or access to system cables that may otherwise result in long
term unauthorised access to corporate information by a malicious actor, or damage to
communications infrastructure that could impact the availability of system information.
Appropriate cable labelling can also prevent data spills by accidentally connecting one system
to another of a lesser classification.
Moreover, investment in adequate cable infrastructure and appropriate cable management
practices can result in considerable long term efficiencies over the life of an installation, as
technology and system requirements continue to evolve. For instance, initial investment
in fibre cable not only protects against unforseen threats, but enables information to be
communicated at higher classifications in the future.
Implementing accessible and visible cable infrastructure can significantly reduce expenses
resulting from future upgrades, accreditation, fault finding, configuration management and
regular inspection for tampering or degradation.
Compromising emanations from equipment and cables provides an opportunity for classified
or sensitive information to be intercepted. Some environmentssuch as mobile platforms and
deployable assets that process classified informationare particularly susceptible, and could
be seriously affected if compromised by an emanation security attack. ASD maintains up to
date emanation security threat assessments for relevant agencies to use when determining
emanation security measures and maintaining the confidentiality and availability of classified
systems. Having sound cable infrastructure and installation methodology provides protection in
the case that an agencys emanation security threat increases.
Scope
This chapter describes the importance of securing communications infrastructure through
cable management and emanation security practices.
Principles
1.
Cable Management
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
31
2.
Emanation Security
References
Additional information on conducting an emanation security threat assessment is found in
the latest version of Australian Communications Security Instruction 71Guidelines for the
Installation of Communication and Information Processing Equipment and Systems.
Additional information on cables and separation standards, as well as the potential dangers
of operating radio frequency transmitters near systems is documented in the latest version
of Australian Communications Security Instruction 61A Guide to the Assessment of
Electromagnetic Security in Military and HighRisk Environments.
32
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
Scope
This chapter describes the importance of implementing measures which facilitate the secure
use of radio frequency and infrared devices, fax machines, multifunction devices, as well as
fixed telephones and the systems to which they connect.
Principles
1.
Reduce the risk of data spills by implementing measures to prevent, detect and
respond to the unauthorised or unsecure use of radio frequency and infrared
communications devices.
Transmissions from radio frequency and infrared devices, for example Bluetooth and wireless
keyboards, can create an emanation security risk if not appropriately secured, positioned or
configured. Radio frequency devices are also capable of automatically connecting to systems
and potentially becoming unauthorised data storage devices. Moreover, the wireless transfer of
information can serve as an illicit entry point for an entire network.
Appropriately configuring wireless networks, positioning devices to restrict communications
from being transmitted into an unsecured space and using radio frequency shielding on
facilities will assist agencies in limiting wireless communications to areas under their control.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
33
2.
DID YOU K N O W ?
D I D Y O U NOW?
References
For more information relating to wireless communications and connectivity, please refer to the
Working OffSite chapter of this document.
14 United Kingdom Information Commissioner's Office, News Release: Council printer mixup breached
data protection laws, 5 April 2011.
34
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
DID YOU K N O W ?
D I D Y O U NOW?
When implemented
as a package, ASD's
Top 4 mitigation
strategies would
have prevented
at least 85% of
intrusions ASD
responds to.
Scope
This chapter outlines the ISM controls that agencies must implement in order to be compliant
with PSPF mandatory requirement INFOSEC 4.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
35
Principles
1.
Reduce the risk of targeted cyber intrusions by implementing the Top 4 of ASDs
Strategies to Mitigate Targeted Cyber Intrusions where applicable.
As the Strategies are designed to mitigate targeted contentbased intrusions (that is email
and web pages), priority for implementing the Top 4 Strategies should therefore be placed
on Australian government systems that are able to receive emails or browse web content
originating from a different security domain, particularly from the Internet.
Other systems will benefit from implementing the Top 4, and the Top 35 Strategies more
broadly, however there may be circumstances where the risks or business impact of
implementing the Strategies outweighs the benefit, and other security controls may have
greater relevance. In such circumstances, agencies should apply appropriate risk management
practices as outlined in the ISM.
Under the PSPF, noncompliance with any mandatory requirements must be reported to
an agencys relevant portfolio minister, and also to ASD for matters relating to the ISM.
Compliance reporting to the relevant portfolio minister is not intended as an extra step in the
system accreditation process, nor is it assumed compliance must be gained before authority to
operate can be granted to a system.
References
Further information on the Strategies can be found in the following ASD Protect publications
available through the OnSecure portal and the ASD website at:
www.asd.gov.au/infosec/top35mitigationstrategies.htm.
36
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
Product Security
Rationale
DID YOU K N O W ?
D I D Y O U NOW?
ICT security products, by default, do not provide security outofthebox and may contain
flaws or vulnerabilities which are able to be exploited by a malicious actor. With the
proliferation of product choices, it is increasingly difficult for agencies to know not only which
ICT security products are safe to use, but also which provide the most effective functionality
for their business needs and threat environment.
17% of IT
professionals
stated that
the use of
unauthorised
programs resulted
in as many as
half of their
companys data
loss incidents.15
Scope
This chapter describes the merit of applying ASDs recommended riskbased processes to the
selection, acquisition, installation and configuration of ICT products which provide security
functions for the protection of information, as well as the value in following appropriate
labelling, maintenance, sanitisation and disposal procedures for such products.
15 CISCO, Data Leakage Worldwide: Common Risks and Mistakes Employees Make, 2008.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
37
Principles
1.
Securely select, acquire, install, configure, label, maintain, repair, sanitise and
dispose of ICT products that provide information security functionality by applying
ASDs recommended riskbased processes.
ASD publishes a list of evaluated products on the EPL to assist agencies in making riskbased
decisions for acquiring ICT security products. Selecting an ICT security product which has
been evaluated by ASD or another recognised scheme provides an agency with confidence that
the product will meet its business needs and accepted risk profile, and prevent unintended
software possibly containing malicious code from being installed.
Protective marking labels help determine appropriate handling, usage, sanitisation, disposal
or destruction requirements based on classification. Ensuring that technicians who are given
access to ICT products are either cleared or appropriately escorted, as well as sanitising or
declassifying products when taking the product offsite for repair or maintenance, reduces
the risk of unauthorised disclosure of classified or sensitive information. Following proper
sanitisation and disposal procedures also mitigates the risk of inadvertently releasing classified
information into the public domain.
2.
References
For further information on the AISEP and the EPL, please visit ASDs website at
www.asd.gov.au/infosec.
38
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
Media Security
Rationale
DID YOU K N O W ?
D I D Y O U NOW?
Scope
This chapter describes the value of implementing appropriate media handling, usage,
sanitisation, destruction and disposal practices.16
16 Sophos, Security Threat Report 2012 Seeing the Threats Through the Hype, 2012.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
39
Principles
1.
Media Handling
Media Usage
Media Sanitisation
Media Destruction
40
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
5.
Media Disposal
Minimise the likelihood of a data spill when media is released into the public
domain by declassification and a formal administrative decision to approve its
disposalby an appropriate authority and according to an agencys documented
procedures.
Appropriate media disposal practices are essential in ensuring that classified information
is not accidentally disclosed. Media can be disposed of only after it has been sanitised or
destroyed to a point where it no longer contains sensitive or classified information. A formal
administrative decision needs to be made to complete the declassification process and to allow
media to be released into the public domain.
References
Nil.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
41
Software Security
Rationale
Software may contain flaws and vulnerabilities which are able to be exploited by a malicious
actor. These vulnerabilities can not only be used to gain unauthorised access to classified
or sensitive information, but also to undermine the integrity or availability of an agencys
informationsuch as by targeting an agencys public website to disrupt access or modify its
content for malicious purposes.
DID YOU K N O W ?
D I D Y O U NOW?
Installing antivirus software and softwarebased firewalls that limit inbound and outbound
network connections are good first steps in reducing the risk of compromise. However,
software security degrades over time as malicious actors discover new vulnerabilities and
exploits, and these measures cannot be relied upon by themselves to protect workstations.
Ensuring software and operating system patches are up to date, and antivirus and other
security software is appropriately maintained with the latest signatures, helps address new
vulnerabilities as they emerge.
Web applications
are the third
most common
intrusion
vector and are
associated with
more than one
third of total data
loss.17
Database systems contain a wealth of information, and are therefore highly desirable targets
for cyber intruders, as compromising them can have significant and immediate payoffs.
Implementing appropriate security controls will reduce the risk of unauthorised individuals
accessing agency information held in databases, and accordingly reduce the risk involved with
data aggregation.17
Scope
This chapter describes the importance of implementing and maintaining proper software
security on agency systems.
42
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
Principles
1.
Software Security
Known Vulnerabilities
DID YOU K N O W ?
D I D Y O U NOW?
3.
Unknown Vulnerabilities
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
43
Restricting the users permissions to running a limited set of trusted applications significantly
reduces the opportunities available for attacking a system and provides an effective
mechanism to prevent system compromise due to the execution of unauthorised or malicious
software. Accordingly, application whitelisting is one of the Top 4 Strategies in ASDs list of
Strategies to Mitigate Targeted Cyber Intrusions.
4.
Databases
Protect database systems and their contents from theft, corruption, loss and
unauthorised access by hardening through technical measures, administrator and
user policies and regular audits.
Using supported and patched database software, securely configuring database software and
stringently controlling database access will assist in protecting the contents of databases.
Assessing agency business requirements before storing sensitive information on databases is
imperative, as this can impact an agencys risk profile. Additionally, removing preconfigured
default settings and placing database servers on a different network segment to agency
corporate workstations will improve database security.
References
Further guidance on ASDs Strategies to Mitigate Targeted Cyber Intrusions can be found at
www.asd.gov.au/infosec/top35mitigationstrategies.htm.
44
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
Email Security
Rationale
DID YOU K N O W ?
D I D Y O U NOW?
Email, because it enables the communication of information into and out of an agency, by
nature is insecure. Poor email security practices and implementation can lead to unauthorised
individuals easily gaining access to sensitive or classified agency information in emails
themselves, or through network compromise. Socially engineered emails are one of the most
common techniques used to spread malware on agency networks. This technique relies on
a user opening a malicious link or attachment. Motivated malicious actors can use these
methods to establish doorways into agency networks, which can result in agency information
being stolen, altered or even made unavailable. Agencies
can minimise their vulnerability to socially engineered
emails by properly implementing, monitoring and
The Public Sector was
maintaining the configuration of email servers, software
the industry most
and email applications. These measures will make it
targeted in August
difficult for malicious emails to enter an agency network
2013, with one in
and be delivered to users.
every 76.7 emails
being a socially
engineered email.19
Scope
This chapter describes the value of the secure implementation and use of email on
agency networks.19
Principles
1.
Email Security
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
45
Securely configuring email infrastructure (such as blocking inbound and outbound email
with a protective marking higher than the classification of the receiving system) can protect
against data spills or the potential interception or compromise of information. Implementing
identification controls, such as digital signatures and Sender Policy Framework (SPF), can
also aid in the detection of spoofed emails that may contain malicious code designed to
compromise a network. In the case of SPF, the SPF record specifies a list of IP addresses or
domains that are allowed to send email from a specific domain. If the email server that sent
the email is not in the list, the verification fails.
Email messages are often routed through many email servers when travelling from sender to
recipient. For this reason, it is vital for agencies to put stringent measures in place to check
for malicious content (for instance, through a content filter) and confirm the validity of emails.
Socially engineered emails are one of the most common techniques used to spread malware.
Once technical measures fail, users are the last line of defence in ensuring a socially
engineered email does not lead to malware being installed on a workstation. Agencies need
to ensure their users are aware of the threat and educated on how to detect and report
suspicious emails. It is important, therefore, to implement an agency email usage policy and
communicate agency expectations and processes to their users.
References
Further information on Governmentapproved email marking standards can be found in
AGIMOs Email Protective Marking Standard for the Australian Government
www.finance.gov.au/files/2012/04/EPMS2012.3.pdf.
Additionally, the implementation guide for the Email Protective Marking Standard for the
Australian Government is available at
www.finance.gov.au/files/2012/04/email_pmsig.pdf.
46
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
Access Control
Rationale
Agencies can manage access to system information through appropriate access controls,
restricting system access to authorised and successfully identified and authenticated users.
The automatic logging and subsequent auditing of information relating to network activities
will also increase the likelihood that malicious behaviour will be detected.
DID YOU K N O W ?
D I D Y O U NOW?
44% of data
breaches are
a result of
exploitation
of default or
guessable
credentials.20
DID YOU K N O W ?
D I D Y O U NOW?
In 2012, Russian
cybercriminals
posted nearly 6.5
million LinkedIn
passwords on the
Internet. Teams of
hackers had cracked
more than 60% of
these passwords
within days.21
Scope
This chapter describes the importance of managing user access to system information and the
automatic logging and auditing of network activities.21
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
47
Principles
1.
Ensure that access to a system is limited to users and devices that are authorised
to access it by adopting appropriate identification and authentication practices
and controls.
Strong identification and authentication mechanisms significantly reduce the risk that
unauthorised users will gain access to a system.
2.
System Access
DID YOU K N O W ?
D I D Y O U NOW?
Event logging and auditing helps raise the security posture of a system by increasing the
accountability for all user actions, thereby improving the chances that malicious behaviour will
be detected. Agencies should ensure sufficient detail is recorded in order for the logs to be
useful when reviewed and determine an appropriate length of time for them to be retained.
Conducting audits of event logs should be seen as an integral part of system maintenance,
since they will help detect and attribute any violations of information security policy, including
cyber security incidents, breaches and intrusions. Agencies are required under the Archives Act
1983 to retain event logs and audit trails for a minimum of seven years.22
In 2012, a major data storage site admitted that usernames and passwords stolen
from other websites had been used to sign into a small number of its accounts.
One employee of the site had used the same password for all of their accounts,
including their work account with access to sensitive data. When the password
was stolen elsewhere, the attacker discovered that it could be used against the
data storage site.22
References
Further information on minimum retention periods for Commonwealth records is provided in
the National Archives of Australias Administrative Functions Disposal Authority, which can be
found at
www.naa.gov.au/records-management/agency/keep-destroy-transfer/agency-ra/index.aspx.
22 Sophos, Security Threat Report 2013, 2013
48
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
Secure Administration
Rationale
Secure enterprise administration allows agencies to be resilient in the face of malicious cyber
intrusions by protecting privileged machines and accounts from compromise, as well as making
an adversary's movement through a network more difficult.
By implementing technical controls and configuring networks to improve administration
security, it is more likely the secure administration system will withstand a cyber intrusion.
This can limit damage and can make incident response far more agile, allowing remediation
work to be completed faster.
Scope
This chapter describes the importance of applying security controls and processes to improve
The security of administrative credentials, infrastructure and actions performed on a network
or system.
Principles
1.
Secure Administration
Increase the level of assurance that administrator activities and credentials will
not be compromised during a malicious cyber intrusion by implementing robust
technical controls and processes.
One of the greatest threats to the security of a network is the compromise of a workstation
used for IT administration. Providing a physically separate workstation with robust technical
controls in place to administrators responsible for critical assets, in addition to their
workstation used for unprivileged access, provides greater assurance that administrator
activities and credentials will not be compromised.
References
Nil.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
49
P rinciples : C ryptography
Cryptography
Rationale
Cryptography is primarily used to restrict access to information to authorised users. First and
foremost, encryption improves confidentiality, providing protection to classified or sensitive
information by making it unreadable to all but authorised users.
More broadly, cryptography can also provide:
Authentication: ensuring that a person or entity is who they claim to be. A robust
authentication system is essential for protecting access to IT systems.
Using approved encryption does not reduce the consequences of a successful attack and, in
effect no realworld product can ever be guaranteed to be free of vulnerabilities.
DID YOU K N O W ?
D I D Y O U NOW?
Before approving cryptographic algorithms for use, ASD conducts a meticulous evaluation of
those already scrutinised by industry and academic communities in a practical and theoretical
setting, which have not been found to be susceptible to any feasible attacks. However, there
can be no guarantee of security against presently unknown attacks. It is vital that agencies
remain aware of what is possible as the information technology environment continues to
develop and change.
A survey in 2008
conducted by the
Identity Theft Resource
Centre found that
82% of respondents
who had lost data
said that encryption
could have prevented
the data from being
compromised.
Further, some common protocols have known impacts on other security operations, for
example, restricting an agencys ability to inspect encrypted messages and attachments for
inappropriate content, or scan files for viruses and malicious code. To maximise the benefit of
cryptographic capabilities, agencies should only use ASD Approved Cryptographic Algorithms
and Protocols, ensuring that they are configured appropriately, and be aware of any known
restrictions or vulnerabilities.
50
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
P rinciples : C ryptography
Scope
This chapter describes the use of ASD Approved Cryptographic Algorithms and Protocols to
encrypt information, and the management of cryptographic systems.
Principles
1.
Availability of Information
Maintain the integrity of cryptographic systems, and hence the confidentiality and
integrity of the information being protected, by applying appropriate governance
and personnel and physical security measures.
Appropriate security measures are crucial in safeguarding cryptographic systems and their
material from compromise.
References
ASD Approved Cryptographic Algorithms and Protocols are listed in the Cryptography chapter
of the ISM Controls manual.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
51
Network Security
Rationale
DID YOU K N O W ?
D I D Y O U NOW?
Agency networks can contain sensitive, classified and businesscritical information and
services. Malicious actors look for ways to exploit weaknesses in an agencys network to gain
unauthorised access, disrupt legitimate access, or modify such information and services. If
a malicious actor has limited opportunities to connect to a given network, they have limited
opportunities to compromise that network.
In 2011,
94% of
all data
compromised
involved
servers.23
Scope
This chapter describes the importance of securely deploying, configuring and managing
network devices and infrastructure.
Principles
1.
Network Management
52
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
2.
DID YOU K N O W ?
D I D Y O U NOW?
Agencies should be aware of the inherent risks in connecting specific devices to a network.
For instance, softphones (software applications which allow a workstation to act as a VoIP
phone, such as Skype) can introduce additional vulnerabilities into the network as they do not
separate voice from data, as hardwarebased IP phones do. This can provide a malicious actor
with access to an agencys voice network via their data network.
When using wireless networks, network segregation, changing default settings, authentication,
encryption and securing devices used to access wireless networks will significantly reduce the
risk of compromise.24
Scanning imported data for malicious content reduces the risk of a system being infected, thus
maintaining its confidentiality, integrity and availability.
3.
Network Infrastructure
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
53
References
Nil.
54
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
Scope
This chapter describes the importance of securely transferring information to and from a
security domain through a gateway, including using cross domain solutions.
Principles
1.
Gateway Security
Ensure the secure transfer of information between security domains with a high
level of assurance by implementing securityenforcing mechanisms.
Connecting systems with differing security policies poses significant risks. For classified
networks, using a cross domain solution comprising ASD evaluated products will help
protect the confidentiality, integrity and availability of information being transferred between
security domains.
3.
Identify and mitigate security risks as early as possible by maintaining and regularly
reviewing gateway architecture. This includes undertaking routine testing and
regular security risk assessments and ensuring that any residual risks are accepted.
Changes to a security domain connected to a gateway can potentially affect the security
posture of other connected security domains.
References
Nil.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
55
Scope
This chapter describes the importance of performing data transfers and content filtering in a
secure manner.
Principles
1.
Data Transfers
Mitigate the risk of data spills of sensitive or classified information to systems not
accredited to handle the data by having a policy governing data transfers and a
procedure in place for authorising and importing or exporting the data to a system.
A data transfer authorisation system will not only hold users accountable for data they transfer
between systems but give agencies an opportunity to scan the data for malicious and active
content and check that the classification of the data is appropriate for the destination system.
2.
Content Filtering
References
Nil.
56
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
Working OffSite
Rationale
The use of mobile devices has become essential to everyday communication. Mobile devices
can provide employees with access to email, the Internet and even agency systems, allowing
them to work from home, an airport lounge or hotel room. They provide greater accessibility,
mobility, convenience and, importantly, efficiency.
While agencies should naturally embrace the potential of mobile devices, it is important to
understand and evaluate the risks associated with their use and how they impact an agencys
security risk profile.
Once a mobile device leaves a controlled office environment, it also leaves behind the
protection that environment affords. Some of the best qualities of mobile devices, such as
their portability and capacity for use outside the office, have introduced new risks. The more
capable these devices are of helping users access and use data, the more capable they are of
being manipulated by malicious actors for the same end.
Poorly controlled mobile devices are particularly vulnerable to loss and compromise, and may
provide a malicious actor with an access point into an agencys system. For instance, users
who access websites and webbased email from their mobile devices can make themselves
vulnerable to Internetbased threats, such as malware. The employee can then inadvertently
expose the corporate network to these threats when he or she connects to the agencys
system from the same device. Further, agencies that allow business use of personal mobile
devices can introduce significant risks to their information, as personal devices often do
not have sufficient inbuilt security features enabled, such as authentication controls and
encryption. These risks apply equally for workstations installed for homebased work. Privacy
rights should also be considered by agencies permitting the use of personal devices for
business purposes, as access to records in the event of an incident can be restricted due to
privacy concerns.
Agencies must also consider their obligations under relevant legislation, such as government
data retention requirements under the Archives Act 1983.
It is important for agencies to identify the circumstances where the liability and security risks
of using mobile devices outweigh the benefits. In particular, mobile devices carrying highly
classified information should not be used outside of appropriately certified facilities, as the risk
of classified information being overheard or observed is considered too high.
Although mobile networking alters the risks associated with various threats to security,
the overall security objectives remain the same as with wired networks: maintaining
confidentiality, integrity and availability of systems and their information. To reduce the risks of
use, it is critical that agencies develop and implement policies to ensure users protect mobile
devices in an appropriate manner when they are used outside controlled facilities, and that
personnel working from home or outside the office protect information in the same manner as
in the office environment.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
57
Scope
This chapter describes managing the use of mobile devices and accessing information from
unsecured locations and home environments.
Principles
1.
Acceptable Use
Prevent mobile devices from becoming a security risk to the system or network
they connect to by implementing, and educating personnel on, an effective mobile
device usage policy.
DID YOU K N O W ?
D I D Y O U NOW?
Information being communicated via a mobile device outside a controlled facility can be more
easily overheard or observed by those not authorised to do so. An agency policy governing
the use of mobile devices can help build awareness of the elevated risks relating to their use,
and ensure confidentiality and integrity of information is maintained. Under an acceptable use
policy, personnel need to know the classification of information which the device has been
approved to process or communicate before use.25
A Symantec
study found a
25% increase in
the number of
vulnerabilities in
mobile devices
between 2011 and
2012.25
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
3.
DID YOU K N O W ?
D I D Y O U NOW?
4.
References
Information relating to physical security is contained in the Australian Government Physical
Security Management Protocol of the Protective Security Policy Framework, which can be found
at www.protectivesecurity.gov.au.
For further information on working from home see the Australian Government Physical Security
Management GuidelinesWorking Away From the Office, which can be found at
www.protectivesecurity.gov.au.
Information on enterprise mobility considerations can be found in ASDs Protect publication
Risk Management of Enterprise Mobility including Bring Your Own Device (BYOD) at
www.asd.gov.au.
26 Australian Mobile Telecommunications Association, FAQs on Mobile Security, found at www.amta.org.au.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
59
SUPPORTING
INFORMATION
61
S U P P O RT I N G I N F O R M AT I O N
Supporting Information
Glossary of Terms
TERM
MEANING
access control
accreditation
accreditation authority
agency
agency head
application whitelisting
audit
Australiasian
Information Security
Evaluation
Program (AISEP)
authentication
availability
62
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
S U P P O RT I N G I N F O R M AT I O N
TERM
MEANING
certification
certification authority
classification
classified information
confidentiality
cryptographic algorithm
cryptographic protocol
cyber security
data spill
emanation security
declassification
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
63
S U P P O RT I N G I N F O R M AT I O N
TERM
MEANING
Distributed Denial of
Service (DDoS)
firewall
gateway
handling requirements
hardware
ICT system
infrared device
information security
Information Security
Registered Assessor
Program
integrity
malware
media
media destruction
media disposal
64
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
S U P P O RT I N G I N F O R M AT I O N
TERM
MEANING
media sanitisation
metadata
Information that describes data. This can include how the data
was created, the time and date of creation, the author of the
data and the location on a network where the data was created.
mobile device
multifunction devices
needtoknow
network device
network infrastructure
patch
product
reaccreditation
risk
risk acceptance
risk analysis
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
65
S U P P O RT I N G I N F O R M AT I O N
TERM
MEANING
risk appetite
risk management
risk mitigation
residual risk
security domain(s)
sensitive information
softphone
system
threat
user
vulnerability
workstation
66
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
asd.gov.au
ASD | REVEAL THEIR SECRETSPROTEC T OUR OWN