It's been a very long year of waiting, but the September Release of the ISM is finally out, even though it seemed like it almost never happened.
The ISM being released this year was a close call, as all the changes are dated September 2017, yet it was publicly released two months later on the 10th November 2017. Unfortunately this release suffered major editing/layout problems, and was amended and re-released on the 22nd of November.
Like some of you, my journey with the 2017 ISM started with the draft that was released at the start of August 2017, followed by a pre-publication preview kindly sent to me by the kind chaps over in ASD's ISM Team on the 27th October.
Many hands have touched the ISM this year (for good or for worse) and for all it's faults I believe it is truly is a world class document which continues to evolve and mature; providing us all with good, sound, actionable guidance. That being said, I'd love to see more resources devoted to a better workflow for its creation and additional resources granted to Agencies so they can implement longer term goals which can help alleviate technical and risk debt.
/rant over lets go over this years ISM with what I have found, and what's in store for you.
-DISCALIMER-
-
I do not work for, or speak on behalf of ASD, or even ACSC
-
This is not a paid review, nor is it sponsored by a government agency
-
This work is a product of my free time, and graciously permitted by my employer IONIZE
- All views and opinions expressed in my blog are my own, and do not speak for or on behalf of anyone but myself.
As always, if you disagree with my logic, spot a bug/fault in this years data, or just want to touch base - send me an email and I'll always do my best to respond in a timely manner.
The Good
Lots of rewording for clarity and to remove ambiguous guidance. Important here is the context around the controls, which provide good insight to the intent of how the control should be implemented or evaluated.
Breakdown
The 2017 ISM contains 945 controls this year, with 9 new controls and 126 are revised, giving a total of 135 controls would need to be re-assessed.
For 27 of these, ASD is the Authority and the remaining 917 controls (save for one) remain with the Agency Accreditation Authority.
Compliance requirement is split across: 489 must, 55 must not, 374 should, and 27 should not.
When it comes to classifications, 785 are Unclassified (DLM), 818 are PROTECTED, 801 are CONFIDENTIAL, 804 are SECRET, and 817 are TOP SECRET.
Document Structure
Almost no chapters, sections or topics moved around this year, with the exception of the section Conducting Accreditations which has been combined into the previous section Accreditation Framework, which is now renamed to Conducting Accreditations.
All in all you will find the same order to the document structure. However some of the controls placement within topics has moved for logical reasons.
Rewording and Natural Language
The whole ISM seems to have had a fine-tooth comb dragged over it when it comes to choice of language, in most cases only a word here or some punctuation there have made the readability easier. However you will find other topics have had significant grammatical changes which have made the intent of controls clearer, and hopefully alleviates the mismatch of understanding which can sometimes be seen between the implementer and the assessor.
For example most of the chapters within the part Information Security Governance have all undergone significant revision, namely: Information Security Engagement, Roles and Responsibilities, Information Security Documentation, System Accreditation, and Cyber Security Incidents.
Content and Spelling
Great care has gone into the proof-reading of the entire document, eliminating all bit a few typographical mistakes. The only one I spotted was:
- Page 166 - an extra space was added after the hyphen "... use behaviour- based ..."
However there is the matter of hyphenation, which I'll explain below.
The Bad
This section is somewhat of a commentary on things that could be better within the controls document, or perhaps things that are missing and really should be there.
Missing Content
I moved this old chestnut this year to the BAD section, purely because there is really no good reason to NOT have the following:
-
Page 172 - The section Software Development, is still missing a Context. The last revision available is found within the 2014 Release of the ISM, so like last year I included it again for completeness:
By following the guidelines in this section, the software flaws and vulnerabilities which are able to be exploited by an intruder will be considered and addressed. -
Page 192 - The Heading Context is missing, as it is typically included after the Scope heading. Comparisons with the 2016 ISM shows that the paragraphs where this heading should be make sense if it is correctly included.
- Page 256 - The topic title Cryptographic protocols is missing. When reading the topic Modes of operation, comparison with the 2016 release and this missing title really jumps out.
Updated Controls Mismatch
According to the most-recent PDF, 124 Controls were changed for this release, however after review I found a total to 126 controls that were changed this year. During my analysis I did my best to locate and accurately record the comparison between the published 2016 PDF and 2017 PDF, as well as the intended (and unintended) changes that were made between the PDF publications.
Control 0357
2016 - Control: 0357; Revision: 3; Updated: Sep-11; Applicability: UD, P, C, S, TS; Compliance: must; Authority: AA
Agencies must sanitise non-volatile EPROM media by erasing in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern, followed by a readback for verification.
2017 - Control: 0357; Revision: 3; Updated: Sep-11; Applicability: UD, P, C, S, TS; Compliance: must; Authority: AA
Agencies must sanitise non-volatile EPROM media by erasing in accordance with the manufacturer’s specification, increasing the specified ultraviolet erasure time by a factor of three, then overwriting the media at least once in its entirety with a random pattern, followed by a read back for verification.
This very minor edit includes a space for 'read back', which in turn aligns this control statement perfectly with:
2017 - Control: 0359; Revision: 2; Updated: Sep-11; Applicability: UD, P, C, S, TS; Compliance: must; Authority: AA
Agencies must sanitise non-volatile flash memory media by overwriting the media at least twice in its entirety with a random pattern, followed by a read back for verification.
Control 1231
2016 - Control: 1231; Revision: 1; Updated: Apr-15; Applicability: C, S, TS; Compliance: must; Authority: ASD
Note: there was a publishing error with this control last year when it was updated without a revision, hence the May-16 for this year:
2017 - Control: 1231; Revision: 2; Updated: May-16; Applicability: C, S, TS; Compliance: must; Authority: ASD
The below image illustrates the changes made to this control
The above image also contains my suggested edit which is the blue comma included to significantly increase the readability of:
CNSSAM recommendation DH 3072-bit or larger OR NIST P-384 OR RSA 3072-bit or larger.
To a somewhat more manageable (especially when copying the control out to another document):
CNSSAM recommendation DH 3072-bit or larger, OR NIST P-384 OR RSA 3072-bit or larger.
Arguably the row above for "Digital Signature" should also be readdressed.
Control 1395
This control was already in my article, before it was fixed in the re-release on the 23rd. The following words "... on ASD's Certified Cloud Services List" were removed and the authority was changed to ASD, so it now reads as follows:
Control: 1395; Revision: 0; Updated: Apr-15; Applicability: UD, P; Compliance: must; Authority: AA
Agencies must only use outsourced cloud services listed on ASD's Certified Cloud Services List (CCSL).
Control: 1395; Revision: 1; Updated: Sep-17; Applicability: UD, P; Compliance: must; Authority: ASD
Agencies must only use outsourced cloud services listed on ASD’s CCSL.
Bonus Control 0823
This control had the capitalisation of "the Internet" changed to "the internet". I wouldn't regard a case change to be worthy of a revision, but it's a good easter-egg if you're looking to see who fully updates their controls each year.
Control: 0823; Revision: 0; Updated: Sep-09; Applicability: UD, P, C, S, TS; Compliance: should not; Authority: AA
Agencies should not allow personnel to use peer-to-peer applications over the internet.
Now, you may be thinking that these may be trivial changes that don't warrant a revision. I would agree, however equally trivial changes to other controls are commonly marked as a revision.
Consistency is key, if it's changed, it's a revision.
Control Metadata Reverts to before 2016 Release
These controls effectively have their 'metadata' title data revert back to a version of the ISM prior to last-year:
2016 Control: 1175; Revision: 2; Updated: May-16; Applicability: UD, P, C, S, TS; Compliance: must; Authority: AA
Agencies must prevent users from using privileged accounts to read emails, open attachments, browse the Web or obtain files via internet services such as instant messaging or social media.
2017 Control: 1175; Revision: 1; Updated: Apr-15; Applicability: UD, P, C, S, TS; Compliance: must; Authority: AA
Agencies must prevent users from using privileged accounts to read emails, open attachments, browse the web or obtain files via internet services such as instant messaging or social media.
and
2016 Control: 0869; Revision: 2; Updated: Feb-14; Applicability: UD, P, C, S, TS; Compliance: should; Authority: AA
Agencies should encrypt information on all mobile devices using at least an AACA.
2017 Control: 0869; Revision: 1; Updated: Nov-10; Applicability: UD, P, C, S, TS; Compliance: should; Authority: AA
Agencies should encrypt information on all mobile devices using at least an AACA.
This type of mistake can really only be attributed to a lapse in good document control. I'd put it down to perhaps previous copy of the ISM prior to the 2016 release was being used to update content, and this was overlooked when it was submitted/added to the document.
The Ugly
So we already know the ISM was released twice, and this was perhaps a little rushed. The same types of errors that were fixed still exist further on in the document.
Lets get into them.
Missing & Hidden Controls
I'm going out on a guess here that this 'bug' was due to the typesetting or editing phase of the ISM, and it was fixed in the 23rd.Nov re-release of the ISM. If you go searching for controls 0374, 0329 and 0375 in the initially released PDF, you will find them hidden underneath the Disposal Procedure diagram located on page 160.
In addition to this you will also notice that control 1230 was missing from the initial release; but thankfully was re-added in the 23rd re-release.
Bullet List Formatting
Quite a few of these were fixed in the 23rd November re-release, just like the following (non definitive) examples:
- Page 58 - Control: 0912 and Control: 0115
- Page 75 - List titled "The physical security requirements of the Australian Government Physical Security Management Protocol can be achieved by:"
- Page 81 - Control: 0405
- Page 106 - Control: 0218
Even though these minimal errors were fixed, following bullet-list issues that still remain most likely due to lack of care during pagination/layout of the document:
-
Page 75
-
Page 130
-
Page 142
-
Page 194
-
Page 240
-
Page 242
-
Page 260
- Page 278
That's eight more of these that I'm sure would have been found and fixed if there was more review time before publication.
Lazy additional of content
On page 123 you will find the table for Other applicable controls, reading down this table you will note that the Mitigation Strategy of Multi-factor authentication has additional controls from specific chapters and sections added as follows:
| Mitigation strategy | Chapter and section of ISM | Control numbers |
|---|---|---|
| ... | ... | ... |
| Multi-factor authentication | Access Control - Identification, Authentication and Authorisation, Cross Domain Security - Gateways, Secure Administration - Secure Administration | 0974, 1039, 1173, 1357, 1384, 1401 |
| ... | ... | ... |
Not only has the alternate row highlighting been forgotten about (likely from a copy/paste of the previous last row); but you will note that the controls listed don't line up with their Chapters and Sections as would expect since the rest of the controls manual follows this formatting style. As such, I believe the table should look like the following, which is how you will find this table within my toolset:
| Mitigation strategy | Chapter and section of ISM | Control numbers |
|---|---|---|
| ... | ... | ... |
| Access Control - Identification, Authentication and Authorisation | 0974, 1173, 1357, 1401 | |
| Multi-factor authentication | Cross Domain Security - Gateways | 1039 |
| Secure Administration - Secure Administration | 1384 | |
| ... | ... | ... |
Note: Markdown doesn't know how to span rows, the above table would have all three 'Mitigation Strategy' rows for 'Multi-factor authentication' merged into one cell
Unnecessary use of En dash & Hyphen
I'm prepared for the flaming from grammar Nazi's, but I'm going to go out on a limb for this one. In various sections of the ISM, there seems to be an overuse of the en dash and hyphens where other more natural punctuation would be more appropriate/readable. Mostly the additional hyphenations and use of en dash are mid-sentence, as a means to break the word flow or to illustrate subtext. I'm not taking about typical usage such as compound adjectives, or a connection/conflict. Whilst these may be the writing style of certain document contributors, for the sake of natural language why isn't the humble comma or parentheses used instead?
The following examples take into account that the content of the ISM does not get used solely within the PDF; commonly it is copied out to other documentation and used in multiple formats.
(Rampant) examples include:
-
Page 6 - The following sentence used en dash:
The ISM aims to assist agencies in understanding the potential consequences of non-compliance—and whether such non-compliance presents an acceptable level of risk—as well as selecting appropriate risk mitigation strategiesFor readability, I'm suggesting that the following example is more readable:The ISM aims to assist agencies in understanding the potential consequences of non-compliance (and whether such non-compliance presents an acceptable level of risk) as well as selecting appropriate risk mitigation strategies -
Page 7 - The following sentence uses en dash rather than a pair of parentheses:
Because an agency’s risk owner—the agency head or their formal delegate—is accountable for an information or cyber security incident, ...This could be better presented like the following:Because an agency’s risk owner (the agency head or their formal delegate) is accountable for an information or cyber security incident, ... -
Page 123 - The table for Other applicable controls uses a hyphen to span consecutive numbers (ie: 1411-1412), where the rest of the table contains individual control numbers. One of these was fixed in the re-publish of the ISM, but this one was missed. More importantly a hyphen should never have been used in this way in the first place, since the intent of the table is to list every individual control that is applicable.
-
Page 128 - Perhaps a plain old comma and space would be sufficient for Control 0937:
... product that they expected to receive—and in an unaltered state. - Page 259 - the first sentence of Cryptographic Systems uses a pair of en dashes instead of a pair of parentheses:
Cryptographic systems are comprised of equipment – either High Assurance or commercial grade – and keying material.
Hyperlinks
Not checked this year, most looked good during import. Although some of the text surrounding hyperlinks was formatted as a hyperlink.
Footnote
There was a significant amount of work this year involved in transcribing the ISM and there was a significant attempt to get it out sooner. Unfortunately due to the document changes between the pre-release in October and the re-release in November, the amount of work needed to verify the document was somewhat repeated.
Thank you for reading through this post this year.
Special Thanks
Firstly I must acknowledge the team at IONIZE for their continued support and the words of encouragement. Secondly, a shout-out to everyone from InSecure Slack. Good feedback and active discussions have been productive over the year and I hope to see this community grow to provide more professional discussions.
And last but not least, a shout-out those of you that have taken the time to get in contact, I'm always invigorated when I hear from people making good use of my project (or even when they spot a fault in my work).
If you would like to get in touch you can as always send an email to [email protected], or come and have a chat at any of the Australian security conferences or professional gatherings.
Looking forward, I'm keenly interested in the new levels of maturity the ISM will evolve to in its next iteration.
.J