DSD accidentally leaks own infosec manual

update The Australian Defence Signals Directorate (DSD) has inadvertently made its 2012 Information Security Manual available to the public before officially announcing it due to a misconfiguration of its web server.

The new structure of the 2012 Information Security Manual
(Credit: Defence Signals Directorate)

The DSD has incorrectly configured its web server to allow any user to view file listings of certain directories on its website, including the 2012 Information Security Manual, which was uploaded yesterday morning.

Generally, web servers only display a directory listing when no index file is located in the same directory and the server has not been configured to deny listings in its overall configuration or on a per directory basis with .htaccess files. A blank file in the same directory with the name index.htm could also have easily prevented the directory's contents from being listed.

DSD's website states that the edition currently published online is the August 2011 edition.

The 2012 Information Security Manual itself is now divided into three documents of varying depth to target staff of different expertise. The Executive Companion document (PDF) forms the highest layer document, providing an overview of why information security is necessary and a case study. It is aimed at the most senior executives such as secretaries and CEOs.

The Principles document (PDF) goes into further detail, with an aim to help agencies in developing better information security policies. It targets security executives, chief information security officers, chief information officers and senior decision makers.

The Controls document (PDF) is the more detailed, providing a set of controls that aim to help IT security advisers and managers as well as security practitioners in government adhere to the Principles document.

The three documents are expected to help build upon further security advice, such as device-specific guides and the Australian Communication Security Instructions.

Subsequent to this article being published, the DSD advised that drafts of the manual had been circulated to state and federal agencies in August, and stated that the 2012 manual had been launched at two recent forums in Canberra. However, it has not yet made the 2012 manual publicly available online.

It has now addressed the directory listing issue, and has updated its website to make the 2012 manual available.

Updated at 3.46pm 16 November 2011: added DSD's comments.