Half reviewed, re-written, updated again, and then yet another update to the ISM in November, I had to call that the last revision for this release of the ISM, as it is clear that monthly updates is to be the norm.

However lets get into this years newly shiny ISM format!

The Good

Breakdown

The 2018 ISM contains 750 controls this year with a massive revision seeing 195 controls deleted from last year, 63 new controls and the rest of the controls (687) were revised.

The Agency Accreditation Authority requirement has now gone and the rest of the document is streamlined towards risk management rather than compliance management.

The rewrite for compliance requirements are now positives, so we only have : 454 must and 296 should controls. No more negatives.

Classification breakdown is:

• 636 OFFICIAL
• 642 PROTECTED
• 660 SECRET
• 749 TOP SECRET

Restructure of the document

Since way back in 2012 the ISM has had a reasonably consistent structure, namely a hirachial structure which provided a logical grouping of controls and the context for implementing them.

This was, as defined by DSD/ASD (with my addition of 'Topics') as follows:

• Part
  • Chapter
    • Section (Contains two distinct components 'Context' and 'Controls')
      • Topic (This was my addition)
      • Control

However the new document has streamlined the ISM to ensure that the key information is concise and readable, removing the Section components of:

• Context
• Controls

We now have a healthy consistent document flow as follows:

• Guideline
  • Section
    • Topic
      • Control

For example like this:

• ISM
  • Cyber security guidelines [guideline]
    • Using the cyber security guidelines [section]
      • Purpose [topic]

The Bad

This section is somewhat of a commentary on things that could be better within the controls document, or perhaps things that are missing and really should be there.

Weirdly placed content

Control 0597 seems to have been placed in the wrong topic, based on its intent (found on page 152)

Control Revision Errors

If we ignore the changes to the classification (the applicability of the control) and any changes to the authority we still have modifications to the controls which have not been captured. However small these changes may seem, they are indeed changes as captured from the content of the control.

Control 0705

This control should be at revision 4, as the wording was revised (3) in the 2014 release without an updated recorded, and again in 2018 to revision 4.

[2018] Security Control: 0705; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS; Priority: Must When accessing an organisation system via a VPN connection, split tunnelling is disabled.

[2017] Control: 0705; Revision: 2; Updated: Nov-10; Applicability: UD, P, C, S, TS; Compliance: must; Authority: AA Agencies must disable split tunnelling on devices supporting this functionality when using an agency system via a VPN connection.

[2016] Control: 0705; Revision: 2; Updated: Nov-10; Applicability: UD, P, C, S, TS; Compliance: must; Authority: AA Agencies must disable split tunnelling on devices supporting this functionality when using an agency system via a VPN connection.

[2015] Control: 0705; Revision: 2; Updated: Nov-10; Applicability: UD, P, C, S, TS; Compliance: must; Authority: AA Agencies must disable split tunnelling on devices supporting this functionality when using an agency system via a VPN connection.

[2014] Control: 0705; Revision: 2; Updated: Nov-10; Applicability: G, P, C, S, TS; Compliance: must; Authority: AA Agencies must disable split tunnelling on devices supporting this functionality when using an agency system via a VPN connection.

[2013] Control: 0705; Revision: 2; Updated: Nov-10; Applicability: G, P, C, S, TS; Compliance: must; Authority: AH Agencies must disable split tunnelling when using a VPN connection from a mobile device to connect to a system.

[2012] Control: 0705; Revision: 2; Updated: Nov-10; Applicability: G, P, C, S, TS; Compliance: must; Authority: AH Agencies must disable split tunnelling when using a VPN connection from a mobile device to connect to a system.

[2011] Control: 0705; Revision: 2; Updated: Nov-10; Applicability: G, P, C, S, TS; Compliance: must Agencies must disable split tunnelling when using a VPN connection from a mobile device to connect to a system.

[2010] Control: 0705; Revision: 2; Updated: Nov-10; Applicability: U, IC, R/P, C, S/HP, TS; Compliance: must Agencies must disable split tunnelling when using a VPN connection from a mobile device to connect to a system.

Control 1059

This control should be at Revision 4, as the grammar fixed, with the addition of a 'n' in the 2016 Release.

[2018] Security Control: 1059; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS; Priority: Must Media is encrypted with at least an Australian Signals Directorate (ASD) Approved Cryptographic Algorithm (AACA).

[2017] Control: 1059; Revision: 2; Updated: Feb-14; Applicability: UD, P, C, S, TS; Compliance: should; Authority: AA Agencies should encrypt media with at least an AACA even if being transferred through an area certified and accredited to process the sensitivity or classification of the information on the media.

[2016] Control: 1059; Revision: 2; Updated: Feb-14; Applicability: UD, P, C, S, TS; Compliance: should; Authority: AA Agencies should encrypt media with at least an AACA even if being transferred through an area certified and accredited to process the sensitivity or classification of the information on the media.

[2015] Control: 1059; Revision: 2; Updated: Feb-14; Applicability: UD, P, C, S, TS; Compliance: should; Authority: AA Agencies should encrypt media with at least a AACA even if being transferred through an area certified and accredited to process the sensitivity or classification of the information on the media.

[2014] Control: 1059; Revision: 2; Updated: Feb-14; Applicability: G, P, C, S, TS; Compliance: should; Authority: AA Agencies should encrypt media with at least a AACA even if being transferred through an area certified and accredited to process the sensitivity or classification of the information on the media.

Control 0357

This control should be at Revision 5, as it had a space added to change 'readback' to 'read back' in the 2017 Release.

[2018] Security Control: 0357; Revision: 4; Updated: Sep-18; Applicability: O, P, S, TS; Priority: Must Non-volatile EPROM media is sanitised by erasing the media in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern followed by a read back for verification.

[2017] Control: 0357; Revision: 3; Updated: Sep-11; Applicability: UD, P, C, S, TS; Compliance: must; Authority: AA Agencies must sanitise non-volatile EPROM media by erasing in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification.

[2016] Control: 0357; Revision: 3; Updated: Sep-11; Applicability: UD, P, C, S, TS; Compliance: must; Authority: AA Agencies must sanitise non–volatile EPROM media by erasing in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern, followed by a readback for verification.

Control 1163

This control should be at revision 3, as it was updated in 2017 (see last bullet point), and the most recent 2018 with an overall rewording.

[2018] Security Control: 1163; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS; Priority: Should A vulnerability management strategy is developed and implemented that includes: • conducting vulnerability assessments and penetration tests for systems throughout their life cycle to identify security vulnerabilities • analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations or treatments based on effectiveness, cost and existing security controls • using a risk-based approach to prioritise the implementation of identified mitigations or treatments • monitoring information on new or updated security vulnerabilities in operating systems, software and ICT equipment as well as other elements which may adversely impact the security of a system.

[2017] Control: 1163; Revision: 1; Updated: Sep-12; Applicability: UD, P, C, S, TS; Compliance: should; Authority: AA Agencies should implement a vulnerability management strategy by: • conducting vulnerability assessments on systems throughout their life cycle to identify vulnerabilities • analysing identified vulnerabilities to determine their potential impact and appropriate mitigations or treatments based on effectiveness, cost and existing security controls • using a risk-based approach to prioritise the implementation of identified mitigations or treatments • monitoring information on new or updated vulnerabilities in operating systems, software and devices as well as other elements which may adversely impact on the security of a system.

[2016] Control: 1163; Revision: 1; Updated: Sep-12; Applicability: UD, P, C, S, TS; Compliance: should; Authority: AA Agencies should implement a vulnerability management strategy by: • conducting vulnerability assessments on systems throughout their life cycle to identify vulnerabilities • analysing identified vulnerabilities to determine their potential impact and appropriate mitigations or treatments based on effectiveness, cost and existing security controls • using a risk–based approach to prioritise the implementation of identified mitigations or treatments • monitoring new information on new or updated vulnerabilities in operating systems, software and devices as well as other elements which may adversely impact on the security of a system.

[2015] Control: 1163; Revision: 1; Updated: Sep-12; Applicability: UD, P, C, S, TS; Compliance: should; Authority: AA Agencies should implement a vulnerability management strategy by: • conducting vulnerability assessments on systems throughout their life cycle to identify vulnerabilities • analysing identified vulnerabilities to determine their potential impact and appropriate mitigations or treatments based on effectiveness, cost and existing security controls • using a risk–based approach to prioritise the implementation of identified mitigations or treatments • monitoring new information on new or updated vulnerabilities in operating systems, software and devices as well as other elements which may adversely impact on the security of a system.

Control 0628

This control should be at revision 5, as it was updated in 2016, and the metadata was not changed to relect this change.

[2018] Security Control: 0628; Revision: 4; Updated: Sep-18; Applicability: O, P, S, TS; Priority: Must All systems are protected from systems in other security domains by one or more gateways or CDS.

[2017] Control: 0628; Revision: 3; Updated: Sep-11; Applicability: UD, P, C, S, TS; Compliance: must; Authority: AA Agencies must ensure that: • all systems are protected from systems in other security domains by one or more gateways or cross domain solutions • all gateways contain mechanisms to filter data flows at the network layer.

[2016] Control: 0628; Revision: 3; Updated: Sep-11; Applicability: UD, P, C, S, TS; Compliance: must; Authority: AA Agencies must ensure that: • all systems are protected from systems in other security domains by one or more gateways or cross domain solutions • all gateways contain mechanisms to filter data flows at the network layer.

[2015] Control: 0628; Revision: 3; Updated: Sep-11; Applicability: UD, P, C, S, TS; Compliance: must; Authority: AA Agencies must ensure that: • all systems are protected from systems in other security domains by one or more gateways • all gateways contain mechanisms to filter data flows at the network layer.

Control 1192

UPDATE Fixed in 2019-01 Revision

This control should be at revision 2, as it was updated in 2016, and the metadata was not changed to relect this change.

[2018] Security Control: 1192; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS; Priority: Should All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model.

[2017] Control: 1192; Revision: 0; Updated: Sep-11; Applicability: UD, P, C, S, TS; Compliance: should; Authority: AA Agencies should ensure that all connections between security domains contain mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model.

[2016] Control: 1192; Revision: 0; Updated: Sep-11; Applicability: UD, P, C, S, TS; Compliance: should; Authority: AA Agencies should ensure that all connections between security domains contain mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model.

[2015] Control: 1192; Revision: 0; Updated: Sep-11; Applicability: UD, P, C, S, TS; Compliance: should; Authority: AA Agencies should ensure that all gateways contain mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model.

Control 1037

With the change of 'random' to 'irregular' in the 2016 release of the ism with no revision change, this control should be at revision 5

[2018] Security Control: 1037; Revision: 4; Updated: Sep-18; Applicability: O, P, S, TS; Priority: Should Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls.

[2017] Control: 1037; Revision: 3; Updated: Sep-11; Applicability: UD, P, C, S, TS; Compliance: should; Authority: AA Agencies should ensure that testing of security measures is performed at irregular intervals no more than six months apart.

[2016] Control: 1037; Revision: 3; Updated: Sep-11; Applicability: UD, P, C, S, TS; Compliance: should; Authority: AA Agencies should ensure that testing of security measures is performed at irregular intervals no more than six months apart.

[2015] Control: 1037; Revision: 3; Updated: Sep-11; Applicability: UD, P, C, S, TS; Compliance: should; Authority: AA Agencies should ensure that testing of security measures is performed at random intervals no more than six months apart.

Control 0627

Control revision goes backwards from revision 5 to revision 4 in 2017, and the 2018 edition it is updated, this control should be revision 6

[2018] Security Control: 0627; Revision: 5; Updated: Sep-18; Applicability: S, TS; Priority: Must When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with.

[2017] Control: 0627; Revision: 4; Updated: Feb-14; Applicability: C, S, TS; Compliance: must; Authority: AA Agencies introducing additional connectivity to a CDS, such as adding a new gateway to a common network, must consult with ASD Technical Assessments on the impact to the security of the CDS and comply with all directions provided.

[2016] Control: 0627; Revision: 5; Updated: May-16; Applicability: C, S, TS; Compliance: must; Authority: AA Agencies introducing additional connectivity to a CDS, such as adding a new gateway to a common network, must consult with ASD Technical Assessments on the impact to the security of the CDS and comply with all directions provided.

[2015] Control: 0627; Revision: 4; Updated: Feb-14; Applicability: C, S, TS; Compliance: must; Authority: AA Agencies connecting a typical gateway and a CDS to a common network must consult with ASD Technical Assessments on the impact to the security of the CDS and comply with all directions provided.

[2014] Control: 0627; Revision: 4; Updated: Feb-14; Applicability: C, S, TS; Compliance: must; Authority: AA Agencies connecting a typical gateway and a CDS to a common network must consult with ASD Technical Assessments on the impact to the security of the CDS and comply with all directions provided.

The Ugly

Frankly I actually find this new layout a refreshing change, and has truly lowered the wall-of-text hurdle for practioners to get to the useful information quickly.

SO basically I'm saying I find nothing really ugly about this ISM - it is (dare I say) quite good. The jury is still out on the agile monthly updates thing however...

Footnote

With such a huge change to the format, this edition is much nicer to work with, however the current monthly updates are far too frequent to keep appraised. I honestly see it as a detremental thing for compliance as you may provide scoping advice to a project and within a matter of weeks the ISM control requirements may change.

Thank you for reading through this post this year.

[edit] late re-touches on this article

-DISCALIMER-

• This work is not sponsored, endorsed or approved by ASD, ACSC or the Australian Government.

• This is not a paid review, nor is it sponsored by or reflects upon any government agency.

• This work is a product of my free time, and graciously permitted by my employer IONIZE.

• All views and opinions expressed in my blog are my own, and do not speak for or on behalf of anyone but myself unless otherwise specifically noted.