Cyber… a word which is becoming all too popular but it become more pervasive by the day, is a big thing in government. You don’t have to look very far to see it as it’s signposted everywhere. There’s regular stories on the news cycles about breaches of security, hacks, new vulnerabilities and new threat agents. As a government response to the security landscape the Australian Cyber Security Centre (ACSC), under the statutory agency of the Australian Signals Directorate (ASD) provide guidelines, advice and prevention approaches to cyber security threats for the public sector primarily but also collaborates with the private sector. There is a strong need for public sector entities to secure their systems as the data contained within the datasets is of such a sensitive nature and in some instances can have an impact on the threat to life. I believe every effort should be taken to implement secure systems through security by design in a risk management approach rather than implementing multiple tiers of security for the sake of potential impacts.
The main mechanism for security risk management promoted by the ACSC is the Information Security Manual (ISM). The most recent update to the ISM was April 2019. The ISM provides a framework for risk management through the use of controls across an array of areas, ranging from physical security to personnel security to security incident management, mobile device usage and media sanitisation. It’s a very comprehensive list of controls. The ISM manual takes a risk management approach to security, where responsibility is assigned for each control and the assignee accepts the compliance or lack of compliance depending on the outcome of the control. The ASD also provide a useful assessment aid to make it a bit easier to digest the controls and base them on the protective markings from the Attorney-Generals Department (AGD)’s Protective Security Policy Framework (PSPF):
- O: OFFICIAL (including OFFICIAL:Sensitive)
- P: PROTECTED
- S: SECRET
- TS: TOP SECRET