Updated January, 2017
Hello and welcome to Joffy's ISM project website, my name is James Mouat (as you may have guessed from the domain) but people call me Joffy. I'm based in Canberra, Australia and work for Ionize as an Information Security Consultant.
Out of the office I like to get involved in local technology and security-focused groups as well as volunteering at 87.8 UCFM as their Technical Director.
This website may not be the slickest website around, because I spend more of my energy writing content for and refining the tools avaliable for use on the site; but I do hope you find them useful in some way.- Enjoy
This project started back in 2012 after writing a debugging tool to handle the parsing of the xml format of the ISM as published by ASD. Quickly this tool was expanded to become a validation tool for the ISM-XML file, fixing many of the errors in it's creation. This became especially useful the following year when ASD announced that they would no longer be publishing an XML format of the ISM, and the XML format was required for a couple integration project I was working on at work.
So in 2013, I took the existing 2012 XML and updated the controls that changed in the April edition of the ISM. I came to realise the limitations with the original ASD formatted ISM-XML, which was more of a document representation of the ISM in an XML file, rather than a typical data-format XML file. Before and during the transcription of the August 2013 edition of the ISM, I developed the now used ISM-XML format used today by all tools on my site as the source-of-truth.
The toolset quickly expanded when a fully integrated HTML output was developed, which closely replicated the ISM-PDF document itself. This was expanded in 2014 to include over fifteen different data transformations form the source ISM-XML source format, which inlcuded: Graphs, Tables, Statistical breakdowns, lists in CSV, MSSQL and MySQL insert statements, JSON datapacks and 3rd party propritory data packs (such as Lumension Risk Manager).
A mobile version of the ISM was started in 2014 and it was called 'Guidance Browser'. After developing 2 different prototypes and 3 application revisions for Android; which enabled you to browse the entire ISM offline on your phone. I found it too pokey and difficult to maintain useability with such a rich document, and I wasn't happy releasing a tool that was annoying to use.
Returning to develop further extending the functionality of the desktop-browser based toolset at the end of 2014, as the humble little project was launched on my website and made public for the first time.
Whilst this project is still a labour of love/hate, I do become invigorated every time I recieve another random email out of the blue from a security practioner who has stumbled on my project and found it to be exactly what they needed. These emails and words of encouragement (and frankly coffee shops on weekends) keep me continually working on making the toolset better and more universally useful for a very wide audience of the ISM.
The toolset was borne out of my frustration that I needed something to kickstart the gruntwork that seemingly everyone does every time a new ISM becomes avaliable. Editing 'last years' excel file and Adding/Modifying/Deleting the controls to match the current release so you can begin your SOA was something everyone was doing either by hand, or they have a mate (who got it from a mate...). I found this unsatisfactory and generating more than an excel file or a HTML view was a drop in the ocean compared to my longer term goals.
The tools publically avaliable on my website (especially the checklist builder) is not designed to be all-things to all-people; rather it is a perfectly adequate baseline solution that all of us need solving.
I have several prototypes and one-off tools which get used regularly but harly ever see the light of day. Some of my long-term projects that I am working on are as follows:
HTML-View of the ISM on steroids, contains references and anotations to all aspects of the ISM and reference materials. Also provides for see Previous/Next revision of a control statement enabling fast review of control information.
Online requirements analysis and auditing tool. Fully runs within browser, no data stored remotely, local saving of 'System Assessment Files'.
Tablet/Phone reference companion, can open TISM files and will support multiple frameworks such as ISM, PSPF and NZISM.