The PSPF and ISM Undergo Major Revisions
by Nigel, on 02/04/2019 7:30:00 AM
The information security framework for the Australian Government is driven by two main documents: the Protective Security Policy Framework (PSPF) owned by the Attorney-General’s Department, and the Information Security Manual (ISM) owned by the Australian Signals Directorate (ASD). Note that the PSPF is actually a set of documents, rather than a single volume like the ISM.
In the last 6 months, both documents have had significant revisions that indicate that the Australian Government is modernising their approach to information security.
A new version of the PSPF was released in October 2018 and has greatly simplified the framework. The three tiers of documents in the old framework have been removed and the approximately 30 policy documents have been replaced by 16 documents - one for each requirement. This makes it much easier to navigate the PSPF and find the information required.
The information security requirements have been reduced from 7 to 4 and address information identification and handling, preventing unauthorised access to information, and protecting information systems from cyber threats. This allows greater discretion in how to implement the security framework.
Several of the PSPF requirements refer to the ISM and some even list specific ISM controls. For example, PSPF requirement 10 refers to ISM controls 0843 and 1490 when discussing application whitelisting. This strengthens and clarifies the relationship between the two documents.
Similarly to the PSPF, significant effort has gone into simplifying the structure of the ISM in the update from the 2017 to the 2018 version (with the latest minor revision being in February 2019). The number of controls has decreased from 945 to 752 though 65 controls have been added so the number of redundant controls removed was 258, an indication of the extent of the document’s overhaul.
The reason for changing many controls is a move away from compliance and towards risk-based management. Perhaps that is why the Accreditation Authority has changed names and is now called the Authorising Officer.
ReaccreditationReaccreditation schedule requirements have been removed and reassessment is now based on altered risks and significant system changes. However there are still several other time-based activities such as reviews of documents, audits of accounts, vulnerability testing and penetration testing, review of system architecture and logging and event monitoring.
To encourage system-specific documentation, the mandatory documentation requirements have been reduced. The Information Security Policy is no longer necessary and the required operating procedures have been streamlined. The control stating the need for a Security Risk Management Plan has been removed; However, several controls refer to the conduct of risk management activities, so clearly something like an SRMP is still required.
Some changes reflect the changing nature of cyber threats. For example, there is greater emphasis on backups and controls for mobile devices. These addresses modern threats such as ransomware and attacks aimed at devices outside the physical security of a main office.
The ACSC web site (https://acsc.gov.au/infosec/ism/index.htm) lists all the changes that have been made.
Although there are many improvements in the ISM, the move away from compliance and towards a risk framework has caused some concern. While the change is in agreement with current thinking on information security, it may lead to organisations simply “accepting the risk” rather than improving security to a pre-determined baseline. This is particularly likely to happen in smaller organisations that do not have the resources for a comprehensive information security program and could lead to an overall decrease in the level of system security. We will have to wait and see if this ends up being the case.
If you with to discuss the implication of the changes with your existing or new ISM compliance program, feel free to book a time to speak with an experienced IRAP Assessor: