CISOs given cyber leadership role in Australia's new Information Security Manual

ACSC chief Alastair MacGibbon says there is an increased responsibility on system owners to truly protect their systems.
Written by Stilgherrian , Contributor

The Australian Signals Directorate (ASD) Essential Eight strategies for mitigating cyber attacks, and a focus on risk management, are at the core of the Australian government's latest Information Security Manual (ISM) released on Tuesday.

"We're pushing the Essential Eight more, absolutely, because we know that's good advice," Alastair MacGibbon, head of the Australian Cyber Security Centre (ACSC), told ZDNet.

Many controls which were previously given the priority of "should" are now a "must".

The ISM now includes specific mandatory controls to limit and log privileged access to systems, applications, and information; mandatory blocking of Adobe Flash, Java from the internet, and web advertisements; and mandatory disabling of unrequired functionality in Microsoft Office, web browsers, and PDF readers.

Microsoft Office macros are now severely restricted.

"Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros," the ISM reads. "Microsoft Office macros in documents originating from the Internet are blocked."

The scope of the chief information security officer (CISO) role is also expanded under the latest ISM.

Previously, the CISO was described as setting the "strategic direction" for an agency's information security; "facilitating communications" between the security, ICT, and business personnel; and ensuring compliance.

The 2018 edition of the ISM is more direct -- the CISO's role is to "provide cyber security leadership for their organisation".

The responsibilities of system owners have been clarified. System owners are now required to "register each system with the system's authorising officer", and "monitor security risks and the effectiveness of security controls for each system", rather than those responsibilities existing at lower levels.

See: Autonomous cyber defences are the future

The ISM also now specifies what an incident response plan needs to contain, and includes the expected response to each type of incident, internal, and external reporting procedures; the steps necessary to ensure the integrity of evidence; and the criteria for referring an incident to law enforcement or the ACSC.

"There is an increased responsibility in 2018 on system owners to truly protect their systems through proper risk management. It is not compliance versus risk. It's the right type of compliance," MacGibbon said.

"To me, compliance is hygiene, and we need good hygiene because that's what makes you secure. What makes you more secure is proper risk management on top of good hygiene.

"So we are expecting a maturation on the part of systems owners, yes."

MacGibbon cited the example of legacy systems that can't be patched, because the patches don't exist. The question then becomes one of how the agency achieves "the intent rather than the black letter" of the ISM controls.

Rather than scrapping a legacy application running on Windows XP, for example, an agency could put in place controls that limit the likelihood that it would be exposed to the relevant threats.

"Risk management doesn't mean you can cut corners. Risk management actually means you're more effective at addressing risk," MacGibbon said.

The ISM is a key element of the cybersecurity policies for Australian government agencies. It fleshes out the cybersecurity components of the Protective Security Policy Framework (PSPF) administered by the Attorney-General's Department, which also covers personnel security, physical security, and governance.

In previous years, the ISM was split into an Executive Companion, a set of Information Security Principles, and the Information Security Controls themselves.

The 2018 edition is a single volume, intended for CISOs, chief information officers, cyber security professionals, and information technology managers. Discussions of governance issues are more closely integrated with the specifications of technical controls.

The new ISM also removes language referring to the roles of IT Security Advisor (ITSA), IT Security Manager (ITSM), and IT Security Officer (ITSO), as well as the security classification CONFIDENTIAL, all of which have been removed from the PSPF.

Also: Culture the missing link for cybersecurity's weakest link

Other evolutionary changes include more detail on application hardening; more detail on backup, restoration, and preservation strategies; and more detail on the requirements for cyber security awareness raising and training.

"We can't change the 2017 version of the ISM to the 2018 version of the ISM to be radically different, but you'll see a directional shift towards more effective risk management," MacGibbon said.

"We know there are ways we could a lot of the problems that we see, and that's through following the ASD/ACSC advice. So we're saying follow that advice, but how you follow it is the question."

Related Coverage

Security guarantees will be meaningless under encryption-busting laws: Senetas

If an Australian company is compelled by legislation to deny that a capability in its products exists, then its assertions are meaningless, security company Senetas has said.

5G stakes couldn't be higher so we advised Huawei ban: ASD

High-risk vendors could previously be confined to the edge of networks, but 5G changes that, the Australian Signals Directorate has said.

AustCyber to figure out what 'cyber skills' actually are

Australia is ahead of the global average figure for cyber gender diversity, but when it comes to filling the cyber skills gap we don't even know what we need.

Australian security trio aim for unbreakable encrypted data environment

Vault, QuintessenceLabs, and Ziroh Labs have joined forces to build a system for strong encryption of user data for government.

5 major data breach predictions for 2019 (TechRepublic)

Biometrics and gaming are just a couple of the new cyberattack vectors professionals can expect in 2019. Here is what else to look out for.

Marriott reveals data breach affecting 500 million hotel guests (TechRepublic)

Hackers have had access to the Starwood guest reservation database since 2014.

Editorial standards