The Australian Defence Signals Directorate has made its top four information security mitigation strategies mandatory for all Australian government agencies. Its top 35 strategies were updated in October last year, seeing very little change among the top four that it had marked as "essential".
These four strategies are employing application whitelisting, patching applications, patching operating system vulnerabilities, and minimising the number of users that have administrative rights. At the time of the last update to the strategies list, it states that 85 percent of all intrusions it dealt with in 2011 could have been mitigated had the top four strategies been followed.
The choice to make the top four mandatory stems from an update to the Australian government's Protective Security Policy Framework (PSPF). The PSPF has three core mandatory tenets covering the confidentiality, integrity, and availability of data. To achieve these requirements, it has set out seven "Infosec" requirements.
In particular, Infosec 4 requires that all agencies document and implement procedures and measures to protect their systems and networks, and specifically notes that it "includes implementing the mandatory 'Strategies to Mitigate Targeted Cyber Intrusions' as detailed in the Australian government Information Security Manual [ISM]".
This means that the ISM will also need to be updated to reflect the changes to the PSPF. DSD expects to make these changes this month.
As a mandatory measure, there will also be changes to government agencies' compliance and reporting procedures. From August 1, agencies must provide annual PSPF compliance reports, including its status in implementing Infosec 4, to the relevant minister.
DSD notes that there is no specific time frame that agencies are expected to be fully compliant with the top four strategies, but a date for implementation should be established by the agency itself.