So as promised, I have been working at transcribing the full ISM2014-Draft PDF with all 933 Controls into my project. 128 of these controls were changed according to ASD, however they forgot to update one control they changed, so it's actually 129. I was adding the Glossary/Reference section to the end of the document, but I came to realize that this will probably be brand new when the official version is finally released, so there is little point for now.
New XML Format
I have come up with a new XML document structure after fully discarding the original DSD/ASD format from 2012; which really didn't store the information-as-data efficiently, it was more for representing it as a document exported from Word. Here's a brief preview of the new format:
<framework>
<title>Australian Government Information Security Manual</title>
<part>
<title>About Information Security</title>
<image></image>
<chapter>
<title>Using This Manual</title>
<section>
<objective>The Australian Government Information Security Manual (ISM) is used for the risk-based application of information security to information and systems.</objective>
<scope>This section describes how to interpret the content and layout of this manual.</scope>
<context>
<topic>
<title>The Australian Signals Directorate</title>
<para>Under the Defence White Paper 2013, the Defence Signals Directorate (DSD) was renamed the Australian Signals Directorate (ASD). For legal and policy purposes, all references to ASD should be taken to be references to DSD.</para>
</topic>
<topic>
<title>Purpose of the Australian Government Information Security Manual</title>
<para>The purpose of this manual is to assist Australian government agencies in applying a risk-based approach to protecting their information and systems. While there are other standards and guidelines designed to protect information and systems, the advice in this manual is specifically based on the ASD's experience in providing cyber and information security advice and assistance to the Australian government. The controls are therefore designed to mitigate the most likely threats to Australian government agencies.</para>
</topic>
<topic>
<title>Applicability</title>
<list><head>This manual applies to:</head>
<item>Australian government agencies that are subject to the Financial Management and Accountability Act 1997</item>
<item>bodies that are subject to the Commonwealth Authorities and Companies Act 1997 and that have received notice in accordance with that Act that the ISM applies to them as a general policy of the Government</item>
<item>other bodies established for a public purpose under the law of the Commonwealth and other Australian government agencies, where the body or agency has received a notice from their Portfolio Minister that the ISM applies to them</item>
<item>state and territory agencies that implement the Australian Government Protective Security Policy Framework</item>
<item>organisations that have entered a Deed of Agreement with the Government to have access to sensitive or classified information.</item>
</list>
<para>ASD encourages Australian government agencies, whether Commonwealth, state or territory, which do not fall within this list to apply the considered advice contained within this manual when selecting security controls on a case-by-case basis.</para>
</topic>
<topic>
<title>Authority</title>
<list><head>The Intelligence Services Act 2001 (the ISA) states that two functions of ASD, also known as DSD, are:</head>
<item>to provide material, advice and other assistance to Commonwealth and state authorities on matters relating to the security and integrity of information that is processed, stored or communicated by electronic or similar means</item>
<item>to provide assistance to Commonwealth and state authorities in relation to cryptography, and communication and computer technologies.</item>
</list>
<para>This manual represents the considered advice of ASD provided in accordance with its designated functions under the ISA. Therefore agencies are not required as a matter of law to comply with this manual, unless legislation, or a direction given under legislation or by some other lawful authority, compels them to comply with it.</para>
</topic>
<topic>
<title>Legislation and legal considerations</title>
<para>This manual does not override any obligations imposed by legislation or law. Furthermore, if this manual conflicts with legislation or law the later takes precedence.</para>
<para>While this manual contains examples of when legislation or laws may be relevant for agencies, there is no comprehensive consideration of such issues. Accordingly, agencies should rely on their own inquiries in that regard.</para>
</topic>
<topic>
<title>Public systems</title>
<para>Agencies deploying public systems can determine their own security measures based on their business needs, risk appetite and security risks to their systems. However, ASD encourages such agencies to use this manual, particularly the objectives, as a guide when determining security measures for their systems.</para>
</topic>
<topic>
<title>Format of the Australian Government Information Security Manual</title>
<image></image>
<para>The three parts of the ISM are designed to complement each other and provide agencies with the necessary information to conduct informed risk-based decisions according to their own business requirements, specific circumstances and risk appetite.</para>
<para>The Executive Companion is aimed at the most senior executives in each agency, such as Secretaries, Chief Executive Officers and Deputy Secretaries, and comprises broader strategic messages about key information security issues.</para>
<para>The Principles document is aimed at Security Executives, Chief Information Security Officers, Chief Information Officers and other senior decision makers across government and focuses on providing them with a better understanding of the cyber threat environment. This document contains information to assist them in developing informed security policies within their agencies.</para>
<para>The Controls Manual is aimed at Information Technology Security Advisors, Information Technology Security Managers, Information Security Registered Assessors and other security practitioners across government. This manual provides a set of detailed controls which, when implemented, will help agencies adhere to the higher level Principles document.</para>
<para>ASD provides further information security advice in the form of device-specific guides, Australian Communications Security Instructions (ACSIs) and Protect publications - such as the Strategies to Mitigate Targeted Cyber Intrusions. While these publications reflect the policy specified in this manual, not all requirements in this manual can be implemented on all devices or in all environments. In these cases, device-specific advice issued by ASD may take precedence over the controls in this manual.</para>
</topic>
<topic>
<title>Framework</title>
<list><head>This manual uses a framework to present information in a consistent manner. The framework consists of a number of headings in each section:</head>
<item>Objective - the desired outcome of complying with the controls specified in the section, expressed as if the outcome has already been achieved</item>
<item>Scope and Context - the scope and applicability of the section. It can also include definitions, legislative context, related ISM sections and background information</item>
<item>Controls - procedures with associated compliance requirements for mitigating security risks to an agency's information and systems</item>
<item>References - sources of information that can assist in interpreting or implementing controls.</item>
</list>
</topic>
<topic>
<title>System applicability</title>
<para>Each control in this manual has an applicability indicator that indicates the information and systems to which the control applies.</para>
<list><head>The applicability indicator has up to five elements, indicating whether the control applies to:</head>
<item>G: Baseline controls advised for Australian government systems holding information which requires some level of protection. Applicable to government systems containing unclassified but sensitive or official information not intended for public release, such as Dissemination Limiting Marker information (i.e. Unclassified (DLM) systems). Unclassified (DLM) and 'Government' are not classifications under the Australian Government Security Classification System, as mandated by the Attorney-General's Department</item>
<item>P: PROTECTED information and systems</item>
<item>C: CONFIDENTIAL information and systems</item>
<item>S: SECRET information and systems</item>
<item>TS: TOP SECRET information and systems.</item>
</list>
<para>ASD maintains a System Controls Checklist to facilitate the incorporation of ISM advice into agencies' risk assessments.</para>
</topic>
</context>
<controls></controls>
<references></references>
</section>
</chapter>
</part>
</framework>As you can tell from the above, the format is not compatible with the old DSD/ASD format and for me at least has a more logical and consumable structure. I have also gone back over my PSPF import and re-mapping the new controls back to PSPF, so that if you comply with Control X from the ISM, it contributes to your mandatory requirement Y in the PSPF.
Testers
Versions sent out to ISM-Beta testers and I'll upload to the web later, feedback on accuracy of the transfer and comments about how you use the ISM in your day-to-day is super helpful for my aforementioned "filtering" tool to output relevant controls.
The data will be exported through the usual translators into the following formats (for upload to OnSecure) once ASD release the final document:
- Browse-able (printable) single-page HTML Document format
- Browse-able (printable) single-page HTML Controls List
- Controls List in CSV perhaps?
Got feedback? hit me up.