avatar

The Irrational Security Monologue

← Back to Blog Home Published by: Joffy, Category: Information Security, Views: 1388, Published: 2014-10-30

ASD Seeking Consultation for ISM

I'm generalizing through my own experiences and those of 95% of everyone I've spoken to on this topic, that ASD's engagement (read two-way communication) with the populous that try to decipher and implement the ISM in their day-to-day, is somewhat of a disconnect.

I don't mean to say they don't communicate, but with the call-sign of 'Reveal their secrets - Protect Our Own' can you blame them?

So you can imagine my utter joy of finding and speaking with many fine people at SiG'14, namely over at the ASD stand, who strangely actually wanted to 'Discuss' my thoughts on the ISM and it's format. To be fair, perhaps it was my dashing good looks, but it was most probably my ISM Project showing off the HTML version and flashing about my Android application (still in dev) that had their attentions - who knows?

Anyway I move on; yesterday I received a personal email form the 'Cyber and Information Security Division' speaking about our conversation at SiG and seeking my feedback regarding the next version of the ISM. Frankly I stopped reading the email at this point and excitedly told one of my colleagues I got a personal email from the ISM Policy team; I'm rather sure his response was 'surely no' but several magnitudes of colorful language higher than that. In short, they had posted on OnSecure a list of 'questions' and they would like some feedback addressing them.

So in the interests of this blog in general, I'll lay out (some of) my concerns and the feedback I provided to ASD.

Most annoyingly these thoughts and feedback we posted to onSecure before the whole migration, unfortunately ASD have 'forgotten' to restore this particular post and the related comments.

ASD Seeking Feedback

How do you feel about the current format of the ISM? Does the current format of a PDF file meet your needs?

a) Me personally, not really; the ability to copy-paste information from the PDF into Word/Excel or even an email is unpredictable due to the nature of PDF compression/optimisation in the last edition which rearranged the content into logical test boxes for optimum compression (an artifact of using inDesign to 'publish' the ISM pdf); which roughly translates into copying a paragraph or Table of text from the ISM, and the Text being re-arranged.

b) The other problem with this is no raw-content version of the ISM is available (rtf/doc/txt etc...) which for some of the industry who like to make/do their own thing with the document, such as I do, it becomes a labor of at least 30+ hours to painstakingly copy-paste from the PDF - see problem (a) above.

What format would best meet your requirements? Do you think there is a more efficient way to present the ISM? For example, do you see value in delivering the ISM as an e-book, mobile app, XML document or any other format?

a) For my requirements for example, I spend most of my time providing guidance through scoping and advice; this information is directly copy-pasted from my HTML version also seen here after lots of development I have concluded that a mobile app is good as a reference, if required however the small format is too restrictive for any form of use beyond that, without having a large-format application to supplement the functionality it provides. Hence I have continued developing my web-application version. So to answer this question, I can see how it is of-use to many but a more electronic format for me is more advantageous, because I can provide direct Hyperlinks for instance to a Section: http://james.mouat.net.au/ISM2014.htm#ISM-5.0.0 or even a specific control: http://james.mouat.net.au/ISM2014.htm#CTL-1353 More advanced versions of this I'm working on give you the ability to send a hyperlink that defines what applicability, authority or even just controls updated in a particular year.

b) XML would be great, however it would need to actually work for people who need it. The last XML version in 2012 released by DSD did not parse correctly due to tag capitalisation mismatch and erroneous close tags.

c) Headings and Layout is a small annoyance of mine; the document reads ok as a PDF/Print version but if you go to use it any other way you run into the problem if missing Section Headers. With the exception of "About Information Security" and "Information Technology Security", all parts of the ISM adhere to a nice 3-tier heading arrangement of Part/Chapter/Section.

d) One other format that I think would be frankly brilliant is JSON; I have a full version of the 2014 ISM in JSON which I build from my project, but considering the amount of work and effort I have put into it over the years its not something I provide to the public. If ASD were to develop and maintain a JSON version of the ISM, then that could be consumed as an authoritative data source.

Given the opportunity to start again, what do you think the ISM should look like?

a) I could be alone in this thinking, but the ISM is a document that has matured, throwing out that maturity would be a mistake. Rather continue with refinement; however it is clear from industry peers I speak with, ASD does not have a good feedback mechanism for ISM matters and all too commonly I'm told they get no response; not a criticism as I'm sure they are under-staffed and over-worked, however I have experienced this myself as well; Even a 'thanks for you email' response would be preferable to silence!

b) As for looks, more readability for the lay-person would make it more consumable, more definitions in the glossary and better applicability for example: why are there so many G controls [8 of them] that apply to High Assurance products, where by definition HA products apply to Confidential or above?

c) 'Top 4 Mandatory Controls' Now I really love how this addition has caused a 'ohhh buzzword' mentality throughout the industry, however people are still missing the point that there is another 31 of these Mitigation Strategies they should be looking at as well. IMHO it just makes things difficult and causes unnecessary overhead for compliance; perhaps it would be better having an Additional Companion/Document for PSPF-ISM compliance and articulate exactly what is mandatory within this document (ie: You Must Do Control X); along with all the relevant guidance information about how achieve these outcomes for the Top 4 (rather than leaving agencies up to their own devices to come up with a solution) and perhaps bring into the light the other thirty one mitigation strategies.

rant: This section of the ISM should really be called "Top 4 Mitigation Strategies", rather than "mandatory controls", because there is actually 19 Controls within the 'top 4', which have been deemed mandatory, by this control. /rant

Do you see any value in the Principles Document? Who in your agency benefits from it?

a) Personally I don't know who uses it actively, I have read it and it's great to provide extra context to the Controls Manual; however this information is relative, unless you have read both documents.

What would you think about a 'loose‐leaf' structure, so changes can be included easily?

a) I would not find many advantages to having a loose-leaf version. Personally I would rely on discrete versions that are complete, rather than adding or removing pages manually to make a document complete. Most importantly you can never be assured that someone has inserted or removed the correct pages - all kinds of crazy idea!

Do you have any further thoughts about how we can improve the delivery of the ISM?

a) Yes, several; you can read my blog ahem .

← Back to Blog Home