Government agencies worried about security standards annoying users and hurting productivity should upgrade to Windows 7, experts say.
The finalised Whole-of-Government (WofG) Common Operating Environment Policy released on the Australian Government Information Management Office (AGIMO) blog this week will prevent government users from accessing USB and SATA drives, installing software and viewing network drives.
The standards demand departments limit user access, but doing so on earlier Windows versions, such as XP, imposes either a dramatic lock-down of control or total administrative anarchy.
IBRS analyst Joe Sweeney said that Windows 7 offers tiered control of access rights, so tougher security will not require staff to be completely locked out of their machines.
"It will take quite a bit of time and effort for some departments to lock their systems down, those that do not have a culture of doing so," Sweeney said. "They can use a Windows 7 upgrade to help this if they are smart."
He pointed to technology controls such as AppLocker in Windows 7, which allow partial user permissions to be set.
"It gives more fine-grain control. Partial permissions mean users can change certain parts of the operating system, but not others," Sweeney said. "It can also set applications or versions, so users can install for instance Adobe but no other programs, or a particular version of Adobe Reader but none others. It is a significant change."
Departments should avoid Windows Vista, according to Sweeney, because the controls are not well implemented.
Agencies are mulling Windows 7 roll-outs independently, with Centrelink already on the platform, while the Department of Parliamentary Services recently said it would move to Vista from XP and Medicare is also on the older operating system.
While larger departments would already have tight security arrangements in place, smaller tier 3 agencies would not, according to analysts, and it may cost them time and resources to put them into place.
Auditors have been scathing of security-slack departments recently and IBRS analyst James Turner said agencies will continue to fail the tests unless they have the cash to fund projects.
Security officers have for years pushed for the level of security contained in the finalised requirements, he said, but many requests have failed to get executive support.
The fiscal pain will be worth it, provided agencies are held accountable for non-compliance, according to Chris Gatford, director of penetration testing firm HackLabs.
"The standards will do well to improve the security practice of agencies — it is good common sense," Gatford said.
"Mandates are very well, but they require penalties for non-compliance, otherwise they are just another piece of paper to be ignored."
The Australian National Audit Office said it does not comment on government policy, but that the report may gel with the broad post-audit security recommendations it occasionally issues to agencies.
Some improvements possible
The policy is lax in its logging requirements, according to Turner. It mandates that agencies must keep logs and recommends a series of broad categories, but it does not demand they review the data.
"They can hand an auditor the logs that they've kept and say 'you look at them'," Turner said.
"It should be required so that auditors can ask to prove they have been reviewed."
The absence of log reviews has been pinned to a litany of data breaches across enterprise and government, which affect organisations of all sizes.