So the next revision of the Australian Governments most confusing and disjointed Information Security compliance document has been revised; with an eye trained on the new Mandatory Requirement: INFOSEC 4.
So what is it and how does it apply to our environment?
[EDIT] Updated for the ISM2014-02 release
Mandatory requirement
INFOSEC 4: Agencies must document and implement operational procedures and measures to ensure information, ICT systems and network tasks are managed securely and consistently, in accordance with the required security. This includes implementing the mandatory 'Strategies to Mitigate Targeted Cyber Intrusions' as detailed in the Australian Government Information Security Manual.
OK that's great, seems straight forward; we need to make sure we have system documentation up to date that outlines how we have 'Securely and Consistently managed' our ICT Systems and Networks. Seems like that should be easy to churn through if you already have a full gamut of system documentation (such as SSP, SRMP, SOPs, Work Instructions and As-Built documentation etc) for every system.
But Wait, There's More!
However we aren't done here, as we need to show how we have implemented the Mitigation Strategies as outlined in the ISM section PSPF Mandatory Requirement INFOSEC 4 Explained which requires us to implement the Top 4 Mitigation Strategies <- NEW PDF!!
These 'Top 4' Strategies effectively require the implementation of 21 Controls which apply:
| Mitigation Strategy | Mandatory Controls |
|---|---|
| Application whitelisting | 0843, 0845, 0846, 0848, 0849 |
| Patch applications | 0300, 0303, 0304, 0940, 0941 1143, 1144, 1348, 1349 |
| Patch operating systems | 0300, 0303, 0304, 0940, 0941, 1143, 1144, 1348, 1350, 1351 |
| Minimise administrative privileges | 0445, 1175, 0405 |