= AU's Information Security Manual & Protective Security Policy Framework =

The DSD ([[http://www.dsd.gov.au/|Defence Signals Directorate]]) publishes an [[http://www.dsd.gov.au/library/infosec/ism.html|Information Security Manual (ISM)]] for all Australian Government agencies.  The ISM is the starting point for security auditing, accredition, roles, etc.

Likewise, the AG ([[http://www.ag.gov.au/|Attorney General]]) publishes a [[http://www.ag.gov.au/pspf|Protective Security Policy Framework]] for all government departments & agencies.

This page suggests approximate analogues from AU's regime to CAcert's regime, for interest only.  A possible benefit is that some ideas may cross-fertilise, but this can only go so far.  Typically Security Models shouldn't be borrowed as business contexts are different.

== Roles ==

|| AU Govt. ISM document or process || CAcert document or process || comments, ''text from ISM'' ||
|| Agency Head || Board || Board performs executive role over all critical teams ||
|| CISO Chief Information Security Officer || Security Officer (Board) || ''"2.1.16. The CISO of an agency is responsible for coordinating communication between security and business functions as well as overseeing the application of information security controls and security risk management processes within the agency."'' ||
|| ASA Agency Security Advisor || ? for physical, see [[https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html#s2|SP2 Physical Security]] for personnel, see [[https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html#s9.1|SP9.1 Staffing]] || ''"2.1.61. The appointment of an ASA within an agency ensures that '''physical and personnel''' security is implemented to appropriately protect information within agencies."'' this is a Protective role, c.f., PSPF 4.5 ||
|| ITSA Information Technology Security Advisor || ? || unclear what difference is between this and CISO, ''"2.1.69. The designation of an ITSM as the ITSA within an agency ensures that information security measures are coordinated across the entire agency."'' PSPF 4.5 GOV 2 ''"(agencies must appoint:) an information technology security adviser (ITSA) to advise senior management on the security of the agency’s Information Communications Technology (ICT) systems."'' ||
|| ITSM Information Technology Security Manager || Team Leaders under SP || T/Ls were called Officers in the past. ''"ITSMs are selected to review, along side IRAPs and DSD reviewers."'' ||
|| ITSO Information Technology Security Officers || Assurers who have passed [[https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html#s9.1.4|SP9.1.4 ABC]] and are appointed to a team under SP || titles are team-specific ||
|| System Owners || ? || not clear.  Possible effected systems include ABC, Arbitration, OTRS, mail ||
|| System Users || Members || under CCA;  not to be confused with Members of the Association ||
|| infosec-registered assessors || External Auditor || also, ITSM may do an Information Security Assessment.  Typically these people are called IRAPs. ||
|| IRAP Infosec-registered Assessor Program || External Auditor Program || IRAP is the DSD-managed list of approved Auditors drawn from commercial suppliers. ||
|| Accreditation Authority || Browser || That person that approves the accreditation from the review.  Generally the CISO. ||
|| PSPF 3. 4 element people test || SP 9. || all points mirrored in CAcert's process (Assurance pre-requisite, ABC, t/l's testing & training, board approval, agreement to SP.) ||

== Doco ==

|| AU Govt. ISM document or process || CAcert document or process || comments, ''text from ISM'' ||
|| ISM || DRC || the set of principles, restrictions and criteria over which the org is assessed.  ISM goes into far more depth (328 pages as opposed to 156 criteria) ||
|| [[http://www.ag.gov.au/pspf|PSPF]] Protective Security Policf Framework || SP Security Policy || demarcation between PSPF and ISM is unclear, as is difference between ''protective'' and ''information'' securities.  Both PSPF & SP are open, overarching documents mandating a number of subsidiary documents ||
|| ISP Information Security Policy || SP Security Policy || (ISM) ''"2.2.50. The ISP should describe the information security policies, standards and responsibilities of an agency and set any specific minimum requirements, which will then inform the development of SRMPs."'' ||
|| protocols || SM || PSPF authorises agency ''protocols,'' also plans, policies, procedures 4.5 GOV 4,5;  [[http://svn.cacert.org/CAcert/Policies/SecurityPolicy.html#s1.4.2|SP1.4.2-3]] authorises [[SecurityManual|Security Manual]] and procedures. ||
|| SRMP Security Risk Management Plan || ? || ''"2.2.63. The SRMP should contain a security risk assessment and a corresponding treatment strategy."'' ||
|| SSP System Security Plan  || SM Security Manual || ''"2.2.35. The SSP describes the implementation and operation of controls within the system as derived from the ISM and the SRMP. Depending on the documentation framework chosen, some details common to multiple systems could be consolidated in a higher level SSP."'' ||
|| SOPs Standard Operating Procedures || (Security) Practices || ''"2.2.36. SOPs provide a step-by-step guide to undertaking information security related tasks.  They provide assurance that tasks can be undertaken in a repeatable manner, even by system users without strong technical knowledge of the system’s mechanics. Depending on the documentation framework chosen, some procedures common to multiple systems could be consolidated into a higher level SOP."'' Practices are mandated by SM. ||
|| (ISM) IRP Incident Response Plan || [[https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html#s5|SP5 Incident Response]] || ''"2.2.37. The purpose of developing an IRP is to ensure that when an information security incident occurs a plan is in place to appropriately respond to the situation. In most situations the aim of the response will be to preserve any evidence relating to the information security incident and to prevent the impact of the information security incident from escalating within the agency."'' ||
|| (ISM) Emergency Procedures || [[https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html#s6|SP6 Disaster Recovery]] || ||
|| PSPF 4.6 risk management || ? || PSPF adopts AS/NZS ISO 31000:2009 and HB 167:2006 ||

== Classifications & Review ==

|| AU Govt. ISM document or process || CAcert document or process || comments, ''text from ISM'' ||
|| TOP SECRET, HIGHLY PROTECTED || critical || systems running the core CA and holding member assurance data ||
|| SECRET, CONFIDENTIAL, PROTECTED || [[https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html#s9.5|SP9.5 Confidentiality, Secrecy]], Rules 23B || systems documented as confidential or secret ||
|| X-IN-CONFIDENCE || None || no distinction maintained as yet ||
|| AUSTEO || client cert. || an approximate analogue would be "Members only", as implemented by client cert. ||
|| AGAO || TrustedGroup (wiki) || an approximate meaning would be "appointed roles only" ||
|| Accredition || First Audit to selected criteria/body || as accredition sets a level. ''"2.3.4. Accreditation is the process by which an authoritative body, the accreditation authority, gives formal recognition and acceptance of the residual security risk to a system and is the prerequisite for the operation of an information system."''   Accredition generally includes Audit ''"2.3.5. The accreditation process involves reviewing information security documentation, assessing the implementation and effectiveness of security controls, determining the residual security risk relating to the operation of a system and seeking acceptance of the residual security risk by an appropriate authority."''  ||
|| Information Security Assessment || Audit || ''"2.3.45. An information security assessment process is undertaken to review information security documentation, assess the actual implementation and planned effectiveness of controls for a system and report on any residual security risks relating to the operation of the system to the accreditation authority."'' ||

== Security & Risk Management Process ==

|| AU Govt. document or process || CAcert document or process || comments, ''text from ISM'' ||
|| ISM Vulnerability Analysis || ? || ''"2.4.19. Emerging security vulnerabilities can be addressed by conducting vulnerability analysis activities and addressing security risks identified as a result of the analysis.'' and ''2.4.22. When an agency decides to implement changes to a system to address security risks resulting from a vulnerability analysis it will need to follow its change management processes, as for any other change."'' ||
|| ISM Change Management || Software-Assessment || unclear whether Change Management is limited to security scope, or it is the same as wider scope, just documented within Security domain.  ''"2.4.32. Urgent and routine changes to systems can be controlled with the development of appropriate change management plans."'' WIP: [[Software/Assessment/Documentation/UpdateCycle|Software-Assessment and Update Procedure]] ||
|| PSPF 4.11, ISM Business Continuity and Disaster recovery  || [[https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html#s6|SP6 Disaster Recovery]] || CAcert detunes business continuity, but uptunes Disaster Recovery ||
|| PSPF 3. Resiliance || not there || PSPF 3. ''"Effective protective security and business continuity management underpin organisational resilience."'' [1]  ||
|| PSPF 1. risk appetite || no analogue || PSPF 1. sets goal of ''" * identify their individual levels of security risk tolerance."''  No clear analogue in CAcert.  Partly because of the unknown of future auditor.  Partly because of unclear purpose;  is ''security appetite'' a metaphor to explain productivity-security paradox? ||
|| PSPF 4.5 Security Culture || internalised || Business approach of call for security culture is probably internalised in CAcert by nature of origins and community.  What is less clear is the nexus with privacy culture which often interferes with risk management and security. ||
|| (PSPF 4.8) Information Security Incidents ||  [[https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html#s5|SP5 Incident Response]] || ''"2.5.1. Information security incidents can be detected by developing, implementing and maintaining specialised tools and procedures."'' ||
|| (ISM) ISIR Information Security Incident Reporting (scheme) || ? || ''"2.5.51. Reporting significant information security incidents to the DSD will ensure that appropriate and timely assistance can be provided and that DSD can maintain an accurate threat environment picture for government systems."'' ||
|| PSPF 4.12 Contracting  || SP 9.4 outsourcing || ||
|| PSPF 5.1 Vetting || SP 9.1.4 ABC || CAcert lacks ''"aftercare"''. ||
|| PSPF 4. transparency / openness || Principles || PSPF appears to attribute transparency & openness to a sort of demarcation issue, rather than a blunt productivity benefit.  Missing a trick?  CAcert doesn't really attribute it at all. ||
|| PSPF 4.6 risk management || ? || PSPF adopts AS/NZS ISO 31000:2009 and HB 167:2006 ||

 1. much of the text in PSPF resonates with teachings in ''Security & Risk Management''.

== Physical Security ==

|| AU Govt. PSPF document or process || CAcert document or process || comments, ''text from ISM'' ||
|| PSPF 5.3 Physical Security Core Policy || [[https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html#s2|SP2 Physical Security]] || PSPF 5.3 leads ISM (chapter). ||

== Misc ==

|| AU Govt. ISM document or process || CAcert document or process || comments, ''text from ISM'' ||
|| ISM 2.2.14-2.2.19 || ''also see DRC A.1, CCS'' || similar approach ||
|| ISM 2.2.41 formal signoff; PSPF 6(8) || [[http://www.cacert.org/policy/PolicyOnPolicy.php|PoP]] Policy On Policy || ''"2.2.41. Without appropriate sign-off within an agency, the information security personnel will have a reduced ability to ensure appropriate security procedures are in place for systems. Having sign-off at an appropriate level assists in reducing this security risk as well as ensuring that senior management is aware of information security issues and security risks to the agency’s business."'' ||

== Notes ==

 * Drawn against Sep09-rev1 as shown on [[http://www.dsd.gov.au/library/infosec/ism.html|ISM page]].
 * Draws from new [[http://www.ag.gov.au/pspf|PSPF]] Protective Security Policy Framework which replaces PSM approach.
 * Both CAcert and DSD's ISM are acronym-rich environments.
 * This page should not be taken as implying compatibility or compliance of one organization to the other's processes.
 * mostly covers the first parts only, not a comprehensive scan of ISM.