Key IT security documentation includes:
https://blueprint.asd.gov.au/security-and-governance/general-documentation/
https://blueprint.asd.gov.au/security-and-governance/policies/
A cyber security strategy articulates an organisation’s vision, guiding principles, objectives and priorities for cyber security, typically over a five-year period. In addition, a cyber security strategy may also cover an organisation’s threat environment, cyber security initiatives or investments the organisation plans to make as part of its cyber security program. Without a cyber security strategy, an organisation risks failing to adequately plan for and manage security and business risks within their organisation.
Control: ISM-0039; Revision: 6; Updated: Dec-22; Applicability: All; Essential Eight: N/A
A cyber security strategy is developed, implemented and maintained.
If security documentation is not reviewed and approved by an appropriate authority, system owners risk failing in their duty to ensure that appropriate controls have been identified and implemented for systems and their operating environments. In doing so, it is important that a system’s security architecture, as outlined within the system security plan and supported by the cyber security incident response plan and continuous monitoring plan, is approved by the system’s authorising officer prior to the development of the system.
Control: ISM-0047; Revision: 4; Updated: May-19; Applicability: All; Essential Eight: N/A
Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system’s authorising officer.
Control: ISM-1739; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
A system’s security architecture is approved prior to the development of the system.
Threat environments are dynamic. If security documentation is not kept up to date to reflect the current threat environment, policies, processes and procedures may cease to be effective. In such a situation, resources could be devoted to cyber security initiatives or investments that have reduced effectiveness or are no longer relevant.
Control: ISM-0888; Revision: 5; Updated: May-19; Applicability: All; Essential Eight: N/A
Security documentation is reviewed at least annually and includes a ‘current as at [date]’ or equivalent statement.
It is important that once security documentation has been approved, it is published and communicated to all stakeholders. If security documentation is not communicated to stakeholders, they will be unaware of what policies and procedures have been implemented for systems.
Control: ISM-1602; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A
Security documentation, including notification of subsequent changes, is communicated to all stakeholders.
System-specific security documentation, such as a system security plan, cyber security incident response plan, continuous monitoring plan, security assessment report, and plan of action and milestones, supports the accurate and consistent application of policies, processes and procedures for systems. As such, it is important that they are developed by personnel with a good understanding of business requirements, technologies being used and cyber security matters.
System-specific security documentation may be presented in a number of formats, including in wikis or other forms of document repositories. Furthermore, depending on the documentation framework used, details common to multiple systems could be consolidated into higher level security documentation.
SSP, SSP Annex
The system security plan provides an overview of the system (covering the system’s purpose, the system boundary and how the system is managed) as well as an annex that describes the controls that have been identified and implemented for the system.
There can be many stakeholders involved in developing and maintaining a system security plan. This can include representatives from:
- cyber security teams
- project teams who deliver the capability (including contractors)
- support teams who operate and support the capability
- data owners for data processed, stored or communicated by the system
- users for whom the capability is being developed.
Control: ISM-0041; Revision: 6; Updated: Jun-24; Applicability: All; Essential Eight: N/A
Systems have a system security plan that includes an overview of the system (covering the system’s purpose, the system boundary and how the system is managed) as well as an annex that covers applicable controls from this document and any additional controls that have been identified and implemented.
A Cyber Security Incident Management Policy is a requirement of ISM control ISM-0576.
ISM control ISM-1784 is also relevant to this policy and states the following requirements:
Having a cyber security incident response plan ensures that when a cyber security incident occurs, a plan is in place to respond appropriately to the situation. In most situations, the aim of the response will be to prevent the cyber security incident from escalating, restore any impacted system or data, and preserve any evidence.
Control: ISM-0043; Revision: 5; Updated: Sep-23; Applicability: All; Essential Eight: N/A
Systems have a cyber security incident response plan that covers the following: guidelines on what constitutes a cyber security incident the types of cyber security incidents likely to be encountered and the expected response to each type how to report cyber security incidents, internally to an organisation and externally to relevant authorities other parties which need to be informed in the event of a cyber security incident the authority, or authorities, responsible for investigating and responding to cyber security incidents the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the Australian Signals Directorate or other relevant authority the steps necessary to ensure the integrity of evidence relating to a cyber security incident system contingency measures or a reference to such details if they are located in a separate document
A continuous monitoring plan can assist an organisation in proactively identifying, prioritising and responding to vulnerabilities. Measures to monitor and manage vulnerabilities in systems can also provide an organisation with a wealth of valuable information about their exposure to cyber threats, as well as assisting them to determine security risks associated with the operation of their systems. Undertaking continuous monitoring activities is important as cyber threats and the effectiveness of controls will change over time. Three types of continuous monitoring activities are vulnerability scans, vulnerability assessments and penetration tests. A vulnerability scan involves using software tools to conduct automated checks for known vulnerabilities whereas a vulnerability assessment typically consists of a review of a system’s architecture or an in-depth hands-on assessment. In each case, the goal is to identify as many vulnerabilities as possible. A penetration test however is Information Security Manual 32 designed to exercise real-world scenarios in an attempt to achieve a specific goal, such as compromising critical system components or data. Regardless of the continuous monitoring activities chosen, they should be conducted by suitably skilled personnel independent of the system being assessed. Such personnel can be internal to an organisation or from a third party. This ensures that there is no conflict of interest, perceived or otherwise, and that the activities are undertaken in an objective manner.
Control: ISM-1163; Revision: 10; Updated: Sep-23; Applicability: All; Essential Eight: N/A
Systems have a continuous monitoring plan that includes:
- conducting vulnerability scans for systems at least fortnightly
- conducting vulnerability assessments and penetration tests for systems prior to deployment, including prior to deployment of significant changes, and at least annually thereafter
- analysing identified vulnerabilities to determine their potential impact
- implementing mitigations based on risk, effectiveness and cost.
At the conclusion of a security assessment for a system, a security assessment report should be produced by the assessor. This will assist the system owner in performing any initial remediation actions as well as guiding the development of the system’s plan of action and milestones.
Control: ISM-1563; Revision: 1; Updated: Jun-22; Applicability: All; Essential Eight: N/A
At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers:
- the scope of the security assessment
- the system’s strengths and weaknesses
- security risks associated with the operation of the system
- the effectiveness of the implementation of controls
- any recommended remediation actions
At the conclusion of a security assessment for a system, and after the production of a security assessment report by the assessor, a plan of action and milestones should be produced by the system owner. This will assist with tracking any of the system’s identified weaknesses and recommended remediation actions identified during the security assessment.
Control: ISM-1564; Revision: 0; Updated: May-20; Applicability: All; Essential Eight: N/A
At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner.