A large number of changes have been made to the federal government’s Information Security Manual (ISM).
There are no major major backflips or U-turns on previous guidelines, of course, but the ISM has been substantially revised with a long list of small updates to most sections of the manual.
Instead of just publishing the new version and leaving it up to users to figure out what has changed, the Australian Signals Directorate helpfully lists all of the latest changes in one place.
There are updates to almost every section, from the executive summary through to the guidelines on:
- roles and responsibilities;
- dealing with cyber incidents;
- security documentation;
- physical and personnel security;
- communications infrastructure and systems;
- managing mobile devices and ICT equipment;
- multimedia management;
- system hardening, administration and monitoring;
- databases, email and networks;
- use of encryption;
- gateways; data transfers and content filtering; and
- cybersecurity terminology.
Some of the alterations are very minor and aimed only at improving readability, but most clarify or modify the advice itself.
In the chapter on applying a risk-based approach to cybersecurity, for example, the ASD has emphasised that agencies should keep an eye on “cyber threats and security risks in a system’s operating environment” as well as monitoring the system itself.
The ISM is the key cybersecurity resource for the federal government but is also designed to be used as a general reference by any other organisations.
“The ISM is based on a set of foundational cybersecurity principles centred on four key activities: govern, protect, detect and respond,” says the latest version, published this month.
“These principles, which are currently under review, set the strategic framework for protecting information and systems from cyber threats.”