AU's Information Security Manual & Protective Security Policy Framework

The DSD (Defence Signals Directorate) publishes an Information Security Manual (ISM) for all Australian Government agencies. The ISM is the starting point for security auditing, accredition, roles, etc.

Likewise, the AG (Attorney General) publishes a Protective Security Policy Framework for all government departments & agencies.

This page suggests approximate analogues from AU's regime to CAcert's regime, for interest only. A possible benefit is that some ideas may cross-fertilise, but this can only go so far. Typically Security Models shouldn't be borrowed as business contexts are different.

Roles

AU Govt. ISM document or process

CAcert document or process

comments, text from ISM

Agency Head

Board

Board performs executive role over all critical teams

CISO Chief Information Security Officer

Security Officer (Board)

"2.1.16. The CISO of an agency is responsible for coordinating communication between security and business functions as well as overseeing the application of information security controls and security risk management processes within the agency."

ASA Agency Security Advisor

? for physical, see SP2 Physical Security for personnel, see SP9.1 Staffing

"2.1.61. The appointment of an ASA within an agency ensures that physical and personnel security is implemented to appropriately protect information within agencies." this is a Protective role, c.f., PSPF 4.5

ITSA Information Technology Security Advisor

?

unclear what difference is between this and CISO, "2.1.69. The designation of an ITSM as the ITSA within an agency ensures that information security measures are coordinated across the entire agency." PSPF 4.5 GOV 2 "(agencies must appoint:) an information technology security adviser (ITSA) to advise senior management on the security of the agency’s Information Communications Technology (ICT) systems."

ITSM Information Technology Security Manager

Team Leaders under SP

T/Ls were called Officers in the past. "ITSMs are selected to review, along side IRAPs and DSD reviewers."

ITSO Information Technology Security Officers

Assurers who have passed SP9.1.4 ABC and are appointed to a team under SP

titles are team-specific

System Owners

?

not clear. Possible effected systems include ABC, Arbitration, OTRS, mail

System Users

Members

under CCA; not to be confused with Members of the Association

infosec-registered assessors

External Auditor

also, ITSM may do an Information Security Assessment. Typically these people are called IRAPs.

IRAP Infosec-registered Assessor Program

External Auditor Program

IRAP is the DSD-managed list of approved Auditors drawn from commercial suppliers.

Accreditation Authority

Browser

That person that approves the accreditation from the review. Generally the CISO.

PSPF 3. 4 element people test

SP 9.

all points mirrored in CAcert's process (Assurance pre-requisite, ABC, t/l's testing & training, board approval, agreement to SP.)

Doco

AU Govt. ISM document or process

CAcert document or process

comments, text from ISM

ISM

DRC

the set of principles, restrictions and criteria over which the org is assessed. ISM goes into far more depth (328 pages as opposed to 156 criteria)

PSPF Protective Security Policf Framework

SP Security Policy

demarcation between PSPF and ISM is unclear, as is difference between protective and information securities. Both PSPF & SP are open, overarching documents mandating a number of subsidiary documents

ISP Information Security Policy

SP Security Policy

(ISM) "2.2.50. The ISP should describe the information security policies, standards and responsibilities of an agency and set any specific minimum requirements, which will then inform the development of SRMPs."

protocols

SM

PSPF authorises agency protocols, also plans, policies, procedures 4.5 GOV 4,5; SP1.4.2-3 authorises Security Manual and procedures.

SRMP Security Risk Management Plan

?

"2.2.63. The SRMP should contain a security risk assessment and a corresponding treatment strategy."

SSP System Security Plan

SM Security Manual

"2.2.35. The SSP describes the implementation and operation of controls within the system as derived from the ISM and the SRMP. Depending on the documentation framework chosen, some details common to multiple systems could be consolidated in a higher level SSP."

SOPs Standard Operating Procedures

(Security) Practices

"2.2.36. SOPs provide a step-by-step guide to undertaking information security related tasks. They provide assurance that tasks can be undertaken in a repeatable manner, even by system users without strong technical knowledge of the system’s mechanics. Depending on the documentation framework chosen, some procedures common to multiple systems could be consolidated into a higher level SOP." Practices are mandated by SM.

(ISM) IRP Incident Response Plan

SP5 Incident Response

"2.2.37. The purpose of developing an IRP is to ensure that when an information security incident occurs a plan is in place to appropriately respond to the situation. In most situations the aim of the response will be to preserve any evidence relating to the information security incident and to prevent the impact of the information security incident from escalating within the agency."

(ISM) Emergency Procedures

SP6 Disaster Recovery

PSPF 4.6 risk management

?

PSPF adopts AS/NZS ISO 31000:2009 and HB 167:2006

Classifications & Review

AU Govt. ISM document or process

CAcert document or process

comments, text from ISM

TOP SECRET, HIGHLY PROTECTED

critical

systems running the core CA and holding member assurance data

SECRET, CONFIDENTIAL, PROTECTED

SP9.5 Confidentiality, Secrecy, Rules 23B

systems documented as confidential or secret

X-IN-CONFIDENCE

None

no distinction maintained as yet

AUSTEO

client cert.

an approximate analogue would be "Members only", as implemented by client cert.

AGAO

TrustedGroup (wiki)

an approximate meaning would be "appointed roles only"

Accredition

First Audit to selected criteria/body

as accredition sets a level. "2.3.4. Accreditation is the process by which an authoritative body, the accreditation authority, gives formal recognition and acceptance of the residual security risk to a system and is the prerequisite for the operation of an information system." Accredition generally includes Audit "2.3.5. The accreditation process involves reviewing information security documentation, assessing the implementation and effectiveness of security controls, determining the residual security risk relating to the operation of a system and seeking acceptance of the residual security risk by an appropriate authority."

Information Security Assessment

Audit

"2.3.45. An information security assessment process is undertaken to review information security documentation, assess the actual implementation and planned effectiveness of controls for a system and report on any residual security risks relating to the operation of the system to the accreditation authority."

Security & Risk Management Process

AU Govt. document or process

CAcert document or process

comments, text from ISM

ISM Vulnerability Analysis

?

"2.4.19. Emerging security vulnerabilities can be addressed by conducting vulnerability analysis activities and addressing security risks identified as a result of the analysis. and 2.4.22. When an agency decides to implement changes to a system to address security risks resulting from a vulnerability analysis it will need to follow its change management processes, as for any other change."

ISM Change Management

Software-Assessment

unclear whether Change Management is limited to security scope, or it is the same as wider scope, just documented within Security domain. "2.4.32. Urgent and routine changes to systems can be controlled with the development of appropriate change management plans." WIP: Software-Assessment and Update Procedure

PSPF 4.11, ISM Business Continuity and Disaster recovery

SP6 Disaster Recovery

CAcert detunes business continuity, but uptunes Disaster Recovery

PSPF 3. Resiliance

not there

PSPF 3. "Effective protective security and business continuity management underpin organisational resilience." [1]

PSPF 1. risk appetite

no analogue

PSPF 1. sets goal of " * identify their individual levels of security risk tolerance." No clear analogue in CAcert. Partly because of the unknown of future auditor. Partly because of unclear purpose; is security appetite a metaphor to explain productivity-security paradox?

PSPF 4.5 Security Culture

internalised

Business approach of call for security culture is probably internalised in CAcert by nature of origins and community. What is less clear is the nexus with privacy culture which often interferes with risk management and security.

(PSPF 4.8) Information Security Incidents

SP5 Incident Response

"2.5.1. Information security incidents can be detected by developing, implementing and maintaining specialised tools and procedures."

(ISM) ISIR Information Security Incident Reporting (scheme)

?

"2.5.51. Reporting significant information security incidents to the DSD will ensure that appropriate and timely assistance can be provided and that DSD can maintain an accurate threat environment picture for government systems."

PSPF 4.12 Contracting

SP 9.4 outsourcing

PSPF 5.1 Vetting

SP 9.1.4 ABC

CAcert lacks "aftercare".

PSPF 4. transparency / openness

Principles

PSPF appears to attribute transparency & openness to a sort of demarcation issue, rather than a blunt productivity benefit. Missing a trick? CAcert doesn't really attribute it at all.

PSPF 4.6 risk management

?

PSPF adopts AS/NZS ISO 31000:2009 and HB 167:2006

  1. much of the text in PSPF resonates with teachings in Security & Risk Management.

Physical Security

AU Govt. PSPF document or process

CAcert document or process

comments, text from ISM

PSPF 5.3 Physical Security Core Policy

SP2 Physical Security

PSPF 5.3 leads ISM (chapter).

Misc

AU Govt. ISM document or process

CAcert document or process

comments, text from ISM

ISM 2.2.14-2.2.19

also see DRC A.1, CCS

similar approach

ISM 2.2.41 formal signoff; PSPF 6(8)

PoP Policy On Policy

"2.2.41. Without appropriate sign-off within an agency, the information security personnel will have a reduced ability to ensure appropriate security procedures are in place for systems. Having sign-off at an appropriate level assists in reducing this security risk as well as ensuring that senior management is aware of information security issues and security risks to the agency’s business."

Notes

Audit/ISM (last edited 2010-11-14 02:17:21 by SunTzuMelange)