So the ISM Policy Team are seeking feedback again related to the new version of the ISM namely the 2015 edition. As it happens I have been providing guidance on some recent topics that could do with a spruce up; Read on :-)
The below suggestions are a bit of a first-round of suggestions and comments relating to these ISM topics, which were submitted to ASD in an email on the 30/7/2014.
Network Security
Within the Ensuring Service Continuity and then Contacting Internet service providers, this topic speaks towards how ISP's can help an Agency in the event of a Distributed denial-of-service attack. It is implied (and logical to assume) that the ISP should be able to provide assurances to Agencies that, in the event of an directed attack against the Agency's network (for which they provide carrier services to), they are capable of responding to assist the Agency. Read the control:
Control: 1188; Revision: 1; Updated: Sep-12; Applicability: G, P, C, S, TS; Compliance: should; Authority: AA Agencies should ensure their Internet service provider is capable of responding in the event of a DDoS attack against their network.
I suggest that this control could do with a slight re-word, the use of the 2nd "their" within the statement should be something like "the Agencies" as it is ambiguous as to exactly what assurances should be sought from ISPs, should the Agency or the ISP itself be under attack.
Let me explain myself; this control can be misread to suggest two things, that an Agency should seek assurance that:
- the ISP is capable of responding to an attack against the ISP's network (which may affect the agency as a result of an indirect attack)
- the ISP is capable of responding to an attack against the Agency's network (which is provided through the ISPs infrastructure)
Within the Wireless Local Area Networks then Bridging networks this topic speaks towards eliminating the ability for a device which supports both fixed and wireless Ethernet to be connected to both at the same time. Control 1336 suggests preferably physical disablement of wireless when connected to fixed network, see below.
Control: 1336; Revision: 0; Updated: Sep-12; Applicability: G, P, C, S, TS; Compliance: should; Authority: AA Wireless functionality on devices should be disabled, preferably by a hardware switch, whenever connected to a fixed network.
So the good question here is; how on earth do you enforce this when a device is capable (and perhaps has a business requirement) to connect to both a fixed and wireless networks (for example a mobile device, which docks or has both hardware interfaces internally)? yes OK you can order hardware which has been crippled, which in effect means the device has no wireless, what about devices that do?
I suggest that ability for the installation and configuration of a Network Bridge be disabled via suitable device management solution (eg. enforcing a domain policy or 3rd party endpoint management solution). Additionally, why is there no specific guidance on the use of GSM/PSTN Modem devices or similar mobile network dongles, or the tethering of mobile phones to bypass Agency gateway controls? Good ole DUN seems like it would fly under the radar these days...
Glossary of Terms
- Suggested Additions
- (un)evaluated product
- (un)evaluated equipment
- (un)evaluated configuration
High Assurance Products
The applicability of several controls which only refer to High Assurance products, yet they apply to classifications below that of the information a that a High Assurance product would be protecting. The definition as provided by ASD is:
A product that has been approved by ASD for the protection of information classified CONFIDENTIAL or above.
Yet the following 8 controls are applicable to environments rated below CONFIDENTIAL:
- Control: 0143; Revision: 4; Updated: Feb14; Applicability: G, P, C, S, TS; Compliance: must; Authority: ASD
- Control: 0286; Revision: 4; Updated: Feb14; Applicability: G, P, C, S, TS; Compliance: must; Authority: ASD
- Control: 0290; Revision: 4; Updated: Feb14; Applicability: G, P, C, S, TS; Compliance: must; Authority: ASD
- Control: 0296; Revision: 3; Updated: Feb14; Applicability: G, P, C, S, TS; Compliance: must; Authority: ASD
- Control: 1079; Revision: 3; Updated: Feb14; Applicability: G, P, C, S, TS; Compliance: must; Authority: ASD
- Control: 0315; Revision: 4; Updated: Feb14; Applicability: G, P, C, S, TS; Compliance: must; Authority: ASD
- Control: 0300; Revision: 4; Updated: Feb14; Applicability: G, P, C, S, TS; Compliance: must not; Authority: ASD
- Control: 1362; Revision: 0; Updated: Feb14; Applicability: G, P, C, S, TS; Compliance: must; Authority: ASD
Perhaps this control could be split into two controls (one for cross-domain, one for HA products)?
Control: 0283; Revision: 5; Updated: Feb-14; Applicability: G, P, C, S, TS; Compliance: must; Authority: AA
A couple of example topics for High Assurance Products where the applicability classification is as expected:
Peripheral switches
The level of assurance needed in a peripheral switch is determined by the highest and lowest sensitivity or classification of systems connected to the switch. When accessing systems through a peripheral switch it is important that sufficient assurance is available in the operation of the switch to ensure that information does not accidentally pass between the connected systems.
Control: 0591; Revision: 4; Updated: Sep-12; Applicability: G, P; Compliance: must; Authority: AA Agencies must use a Common Criteria-evaluated product when accessing a classified system and a sensitive system via a peripheral switch.
Control: 0593; Revision: 5; Updated: Apr-13; Applicability: C, S, TS; Compliance: must; Authority: AA Agencies must use a High Assurance product from ASD's EPL when accessing a highly classified system and a less classified system or sensitive system via a peripheral switch.
AND
Reducing storage and physical transfer requirements
When encryption is applied to media, whether the media resides in ICT equipment or not, it provides an additional layer of defense. Encryption does not change the sensitivity or classification of the information, but when encryption is used the storage and physical transfer requirements of the ICT equipment or media can be treated at an unclassified level.
Control: 1161, Revision: 2, Updated: Feb-14; Applicability: G; Compliance: must; Authority: AA Agencies must use an encryption product that implements an AACA if they wish to reduce the storage or physical transfer requirements for ICT equipment or media that contains sensitive information to an unclassified level.
Control: 0457; Revision: 4; Updated: Feb-14; Applicability: P; Compliance: must; Authority: AA Agencies must use a Common Criteria–evaluated encryption product that has completed an ACE if they wish to reduce the storage or physical transfer requirements for ICT equipment or media that contains classified information to an unclassified level.
Control: 0460; Revision: 6; Updated: Feb-14; Applicability: C, S, TS; Compliance: must; Authority: ASD Agencies must use High Assurance products if they wish to reduce the storage or physical transfer requirements for ICT equipment or media that contains classified information to that of a lower classification.