Yesterday the ISM2016-Draft was released for comment by ASD via onSecure for review before the 21st of April. So over the next few days before and after the ACSC 2016 conference, I'll do my best to review mainly the ISM Controls themselves and highlight any issues I find.
Running Review of the 2016 Draft
So this review is checking the differences between the controls found:
- Between the issued PDF file and the XLS changes file
- Between the 2016-Draft, and the previous ISM revisions (2015 & 2014)
This is being live-edited as I go, so come back and visit later as I turn pages...
Front Cover
OK so what's going on here? The Draft copy of the ISM looks like the final release. Why is there no 'DRAFT' emblazoned across the front cover? Edited the front cover to say 2016, why not add 'draft'?
My point being, if you print or have a digital copy of this lying about, how do you know it's the correct one once the final version is released?
Front Inside Cover
Yeah same again, it says Publication Date: xx Apr 2016 but that's the only indicator that this is a DRAFT document
Foreword
Everything here is a carbon-copy from the ISM2015 release, which is great. OK perhaps not, the footer for this entire document says 2015 - oooops!
Information Security Risk Management - Page 7
OK so this section looks OK, <strike>nowait! Control 1207 somehow goes back in time???
Control: 1207; Revision 1; Updated: Feb-14; ... < Last Year's 2015 Edition
Control: 1207; Revision 0; Updated: Sep-12; ... < 2016-Draft
What version are they working/editing from to manage to bone that up?</strike>
[EDIT] Nope I boned that up - false alarm people; that's what you get when youre forced to transcribe everything by hand...
Outsourced General Information Technology Services - Page 18
Control 0873; Revision: 4; ... < Changed in XLS, not in the PDF.
OK so in the changes XLS, this has been rewritten for clarity but not changed in the draft PDF.
Outsourced General Information Technology Services - Page 19
Oh dear, this one is a doozy; so the following controls never had a revision 0, when they were introduced in 2015. This has been fixed, which is great; however someone changed them to MUST controls (in the XLS), but they are still SHOULD in the PDF; previously they were the same as well.
Control: 1451; Revision: 0; Updated: Apr-15; ... < Revision Error Fixed; compliance changed without revision
Control: 1452; Revision: 0; Updated: Apr-15; ... < Revision Error Fixed, compliance changed without revision
I back-edited my 2015 version to have the correct Revision '0'.
Reporting Cyber Security Incidents - Page 62
Control: 0143 was updated and is correct between versions - woot
Fax Machines and Multifunction Devices - Page 112
Control: 0590; Revision 3; Updated: Apr-16 ... < Incorrect revision date
This control was updated in the Changes XML from 2015 to revision 3 with this included text; however the 2015 PDF was not updated when it was released. This control is NOT NEW in 2016, sorry guys.
PSPF Mandatory Requirement INFOSEC4 Explained - Page 119
Control: 1353; Revision 3; Updated: Apr-15; ... < Content changed without revision
Yeah the Section Name within the "Application Whitelisting" row of the table changed from "Application Whitelisting" to "Standard Operating Environments" without this being revised to Revision 4, 2016.
Product Selection and Acquisition - Page 124
Control: 0282; Revision 5; Updated: Apr-15; ... < Control revision number fixed!
This control was incorrectly versioned in 2015 as revision 6; 2014 version of the ISM, this control was revision 4 (we skipped revsion 5).
Product Sanitisation and Disposal - Page 133
Control: 1455 and Control: 0317 have swapped positions in the ISM - meh reads ok still.
Media Sanitisation - Page 150
A brand new Topic has been added here, and I'm informed that this topic (and the controls) will be heavily reworded before release.
So if you're playing along at home and you've read Control: 1466 and said huh!? - It's ok; it's being revised or so I'm told...
Software Development - Page 169
I'm still waiting on a Context for this Section; one day I'll be a real boy...
Control: 1422; Revision: 1; Updated: Apr-16; ... < Updated in XLS but not in the PDF
Everybody remembers this random 2015 error where what seems the end of one of the edits wasn't removed from the end of the sentence. All fixed now but unfortunately someone forgot to update the PDF with this revision.
Privileged Access - Page 198
Control: 1175 < Updated for clarification
This control has had an update to help clarify what exactly you should be stopping your privileged users from doing/accessing.
Gateways - Page 261,263
Control: 0629; Has completely moved within the document to page 264 - It reads much better in context here.
The topic Shared Ownership of Gateways with Control: 0607 and Control: 0608 have been relocated to page 264.
Cross Domain Solutions - Page 269
Control: 0627; Revision: 4; Updated: Feb-14; ... < Completely reworded
This is just a terrible lack of document control here. This control has been completely reworded, in both the 2016-Draft PDF and XML; yet this control has had no revision or update change in either the PDF or the XML file. FAIL
Control: 0675 Has just moved down a paragraph if you're looking for it.
Web Content and Connections - Page 276, 277
SO yeah this entire page 277, is actually a DUPLICATE of 276 - what happened there?
Mobile Devices - Page 290
<strike>Another control that goes back in time - </strike>I almost made it to the end without finding another error sigh
OK so this is is a control that was changed in 2014, without having a revision change, I fixed this in my version, but this was'nt picked up by ASD in subsiquent versions, and then fell off the radar.
Control: 0869; Revision: 1; Updated: Nov-10; Applicability: G, P, C, S, TS; Compliance: should; Authority: AA ... 2013-08 Edition
Agencies should encrypt information on all mobile devices using at least a DACA.
Control: 0869; Revision: 1; Updated: Nov-10; Applicability: G, P, C, S, TS; Compliance: should; Authority: AA ... 2014-02 Edition
Agencies should encrypt information on all mobile devices using at least a<u>n A</u><strike>D</strike>ACA.
Control: 0869; Revision: 1; Updated: Nov-10; ... < 2016-Draft
<strike>There is absolutely no excuse for these sorts of errors.</strike> Poor Document control is to blame here; I hate to think if I went back and transcribed from 2008 => 2012 if I would find more...
My work here is done...
Drop me a line if you have your own thoughts/complaints about the ISM; I can commiserate :-)
Note I freely admit that this review I have now discovered <b>7 errors</b> in the validity of my ISM-XML source files; and they have been updated online to feed all the tools from my site.
You will note the revision changes to both 2014 and 2015 editions of the ISM. If you spot an error, let me know...