Australian Government Information Technology Security Manual

1
Australian Government Information Technology
Security Manual

• Chris Barrett CISSPInformation Security
  GroupDefence Signals Directorate

2
Contents

• Acknowledgements
• Name change
• The different versions
• Handling and dissemination
• Keywords
• Relationship with the PSM
• Phasing to the new
• Templates
• Where to from here

3
Acknowledgements
4
Why the Change of Name?

• Reflects
• the importance of the document, and
• its alignment with the Protective Security Manual
  
• The manual will also be known as ACSI 33

5
Version/Classification
6
ExampleUNCLASSIFIED version

• 101. Agencies SHOULD
• 103. Agencies MUST

7
ExampleSECURITY-IN-CONFIDENCE version

• 101. Agencies SHOULD
• 102. Agencies MUST
• 103. Agencies MUST
• Text that only appears in the SECURITY-IN-CONFIDE
  NCE version appears is blue.

8
Handling and Dissemination

• UNCLASSIFIED
• Authorised for public release

9
Handling and Dissemination

• SECURITY-IN-CONFIDENCE
• Not to be made available, directly or indirectly,
  to the public, or to persons not considered to
  have a need-to-know, unless approved by DSD
• Approved for release to companies intending to
  apply for Government business
• Provision is agencys responsibility, not DSDs
• Readers do not require a security clearance
• but do need to have a need-to-know
• Transmission and storage in accordance with the
  PSM and ACSI 33

10
Primary Distribution Points

• UNCLASSIFIED
• DSDs Internet website(www.dsd.gov.au)
• SECURITY-IN-CONFIDENCE
• CD-ROM mail-out
• Defence Security Authoritys website on the
  Defence Restricted Network
• Documents will be released as PDFs

11
Keywords - Before
shall
should
needs to
may
on no account
is to
make sure
must
should consider
12
Keywords - Now

• MUST NOT
• Mandatory
• Non-compliance requires a waiver in accordance
  with the PSM
• SHOULD NOT
• Reasons for deviating MUST be documented
• RECOMMENDED
• Agencies are encouraged to document their reasons
  for not following

13
Relationship with the PSM

• The majority of technical content relating to IT
  security will probably be removed from the PSM.
• PSM will probably say something like
• IT systems processing Australian Government
  information must comply with ACSI 33.
• Non-compliance with MUSTs and MUST NOTs in ACSI
  33 will mean that an agency is not complying with
  the PSM and therefore requires a waiver

14
SHOULDs and SHOULD NOTs

• SHOULD
• Valid reasons to deviate from the item may exist
  in particular circumstances, but the full
  implications need to be considered before
  choosing a different course
• SHOULD NOT
• Valid reasons to implement the item may exist in
  particular circumstances, but the full
  implications need to be considered before
  choosing this course
• Agencies deviating from a SHOULD or SHOULD NOT,
  MUST document the reason(s) for doing so

15
SHOULDs and SHOULD NOTs

• Does not need to be elaborate
• The inclusion of a risk management plan is
  encouraged
• Demonstrates to the Certification and/or
  Accreditation Authorities that the issues were
  properly considered
• Provides the ability to review past decisions as
  the threat environment changes
• Deviations do not require DSDs approval
• but wed be happy to discuss or be advised

16
Phasing to the new

• These documents have been superseded
• ACSI 33 (2000)
• ACSI 37
• ASSRO Supp 1 - Parts A B
• DSD Policy Advisory on the use of SSL
• Gateway Certification Guide will live on for
  now

17
Phasing to the new

• Most policies and standards havent changed
• too much
• Agencies are expected to meet ACSI 33 by the end
  of the 2004

18
Templates

• We believe that there is already enough material
  in the public domain to not warrant DSD creating
  its own templates
• Weve decided to provide links on our website to
  existing material
• Agencies are encouraged to adapt them to suit
  their requirements

19
Where to from here?

• Original scope was to consolidate the documents
  and fix the obvious issues
• in the end, weve fixed more than we
  planned
• more work is required
• We need to continue to review the material and
  update it as required
• We need your assistance for this
• Feedback is important

20
Updates

• Will probably be released quarterly
• e.g. March, June, September, December
• Important changes will result in more frequent
  updates
• Issued only in electronic form at the primary
  distribution points
• Will consist of
• updated PDFs, and
• a stand-alone document summarising the changes
  since the last release

21
(No Transcript)