Australian government quietly enhancing info security manual
CYBERSECURITY is a big concern for Australia. After all, compared to all its peers in the Asia Pacific, Australia is the most frequently attacked country, with 90 percent of Australian companies reporting they receive up to 5,000 threats a day.
Fortunately, the Australian Signals Directorate (ASD) set up the Australian Cyber Security Centre (ACSC) in 2014. The body has been quite active in the cybersecurity space, and in recent months, built a strong information security manual to help businesses in the country enhance their cyber defense.
The updated manual aims to help organizations strengthen their risk management framework in order to protect information and systems from cyber threats.
The cybersecurity guidelines within the manual are based on the experience of the ACSC and ASD — which is why businesses in the country are sitting up and taking notice.
Intended for Chief Information Security Officers (CISOs), Chief Information Officers (CIOs), cybersecurity professionals, and information technology managers, the guidelines discuss both governance and technical concepts.
Neatly packaged as a 182-page document, the Australian Government Information Security Manual has more than 25 chapters and offers advice on (almost) everything — from email and network management, to detecting, managing, and reporting cybersecurity incidents, to outsourcing IT and cloud services.
Below, Tech Wire Asia explores some of the interesting sections of the manual and highlights advice provided by the ACSC.
The ACSC on enterprise mobility
The more the number of devices that can access the corporate network, the more vulnerable the network becomes. However, in today’s day and age, it’s quite difficult to block employee access to the corporate network from personal computers and mobile devices.
Hence, the ACSC provides device-specific guidance in the manual to help organizations understand how each kind interacts with the corporate network and how they can be secured to a greater degree.
The body suggests creating a policy governing the management of mobile devices and ensuring it is implemented effectively — to all mobile devices accessing the corporate network.
The document goes on to further explain the implications of privately-owned mobile devices accessing the organization’s information and systems, and points out that separate guidance on ‘bring your own device’ (BYOD) is available for organizations permitting such use, to ensure risks in such cases are managed appropriately.
The guidelines provided in this section also cover the risks of traveling overseas with mobile devices that have interacted with the corporate network, offers advice on how to protect them during the travel, and explains what needs to be done on returning to Australia in order to ensure network security isn’t compromised.
The ACSC on cryptography and encryption
This section of the manual starts off the fundamentals, explaining the fundamentals of cryptography and dives into some of the key nuances of the encryption world that can immediately help enterprises better secure their network.
The document explains that encryption of data at rest can be used to reduce the physical storage and handling requirements for ICT equipment and media, while encryption of data in transit can be used to provide protection for sensitive or classified information communicated over public network infrastructure.
The ACSC provides advice on encrypting both, information at rest and information in transit.
For information at rest, the ACSC suggests using software and high assurance cryptographic equipment (HACE) that either allow for full disk encryption or partial encryption where access controls provide permissions for encrypted partitions separately.
For information in transit — especially for sensitive information — the ACSC suggests using an ASD Approved Cryptographic Protocol to protect Australian Eyes Only (AUSTEO) and Australian Government Access Only (AGAO) information when communicated across network infrastructure.
Some of the contents of the document seem to be more applicable to government organizations dealing with secret and top-secret information, however, it is up to the CISOs, CIOs, and cybersecurity professionals to distill it down to what is relevant for their line and field of work.
The ACSC on software development
Right off the bat, the section on software development seems thin. However, it’s important to note that the idea that the ACSC wants to enforce is simple: Organizations must bake security into the custom software they develop in order to ensure they’re able to keep bad actors from exploiting vulnerabilities and stealing data later on.
The ACSC provides advice separately on application development and web-application development in this document, and although the basic principle is the same, the ACSC suggests that the devil is in the details.
For application development, for example, the ACSC explains that it is important to segregate software development, testing, and production environments.
As a result, development, and modification of software should only take place in development environments, information in production environments should not be used in testing or development environments unless the testing or development environments are secured to the same level as the production environments, and unauthorized access to the authoritative source for software should be prevented.
In terms of web-application development, the ACSC reinforces that even when a web application only contains public information, there is a need to protect the integrity and availability of the information processed by the web application and the system it is hosted on.
The document then provides several guidelines to organizations developing web-applications — all of which is practical and immediately applicable.