This is Part 2 of a multi-part series on Information Security Management.
Recent high-profile cyber security events have further increased awareness about the imperative to improve information security practices in line with evolving cyber security threats. More advanced, sophisticated, and highly coordinated security threats demand appropriate risk management planning and preparation in all organisations to ensure swift response and prevent potentially catastrophic outcomes.
Aurion is committed to ongoing work to further improve our internal information security management practices to comply with the most rigorous principles and practices. Additionally, as part of our commitment to improving information security for our customers, Aurion is continually working to strengthen the security features of our products and services.
As part of this commitment, we have partnered with independent security consulting providers to better understand information security principles and how we, and our customer community, can best apply specific practices. In this article in our series about Information Security Management, we will explore specific types of cyber security threats, and how best to prepare and respond to cyber threats.
All organisations require rigorous information security management planning to adequately prepare for, and respond to, security threats. At the recent Technology in Government conference in Canberra, government representatives, service providers and software vendors met to discuss current technology trends impacting government into the future. Information Security Management featured prominently, headlined by a presentation from Gregory Touhill, Brig Gen (ret), CISSP, CISM, Deputy Assistant Secretary, Cybersecurity and Communications representing the US Department of Homeland Security. The US Department of Homeland Security has been instrumental in the development of the Framework for Improving Critical Infrastructure Cybersecurity policy for Information Security Management in the United States.
Additionally, here in Australia the Australian Government Information Security Manual (ISM) provides guidance about Information Security principles and practices within an Australian context. In this article we will explore the key concepts and guidelines of both policies, and how they can be applied in your organisation.
Cyber Security is ‘not a technology issue’
Brigadier General Touhill emphasised one key concept throughout his presentation – ‘Cyber Security is not a Technology issue; it’s a risk management issue’. The US Department of Homeland Security works across all levels of government – federal, state and local – to take the cyber security conversation ‘out of the server room’ so that all stakeholders better understand risk and share information about best practices for information security management to protect networks. This work has resulted in over 200 emergency response units and significantly improved response and reaction outcomes across US agencies. The US Department of Homeland Security has been actively promoting a ‘Cyber Neighbourhood Watch’ approach – users across public and private networks share information more efficiently and using more robust practices to ensure that risks are understood by potentially affected parties earlier for the benefit of the entire community.
Another key point raised by Brigadier General Touhill – cyber attacks cannot be prevented. Whilst exposure to cyber security attacks can be mitigated through effective network and process controls, all organisations need to have effective risk management plans to ensure that when, rather than if, a cyber attack occurs they are prepared to respond adequately.
Brigadier General Touhill identified a number of key programs that had impacted information security management policy across the US. President Barack Obama has actively promoted a cyber security response agenda that has included new programs focused on threat response, education and intelligence gathering and sharing. Specific programs have been implemented, aimed at rapid declassification of previously classified information so that the data can be shared across public and private agencies to better inform the community and enhance response planning.
Preparing an Information Security Management Plan
As Brigadier General Touhill emphasised, a risk management plan for managing information security practices is essential in any organisation. The US Department of Homeland promotes a framework based on the NIST Framework for Improving Critical Infrastructure Cybersecurity guidelines which promote a set of activities as achieve specific cyber security objectives as part of an effective information security management plan:
- Identify – Develop the organisational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
- Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
- Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
- Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
- Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
The framework provides an approach which can be adopted by any organisation when viewing and assessing cyber security risk, and planning appropriate response protocols.
For Australia organisations, the Federal government has provided the Australian Government Information Security Manual (full text available here – http://www.asd.gov.au/infosec/ism/index.htm) to inform Australian public and private enterprises about cybersecurity risks and responsibilities, and information security management practices to implement to prevent cyber security attacks and improve reaction/response.
Improving Information Security Management at Aurion
At Aurion, we are committed to improving information security management practice in line with the Australian Government Information Security Manual to ensure the highest possible level of information security for our customers when using our products and services.
To that end, we have introduced new internal information security management processes, in conjunction with an independent external security specialist. These processes cover all internal and external production environments, and inform all information security practice at Aurion, and form an integral part of our Quality and Compliance control processes and our ASAE3402 and ISO9001 standards accreditation. These processes are reviewed regularly for currency and effectiveness.
At a product level, our software quality and testing processes include a rigorous program of security testing, including regular vulnerability assessment testing and assessment against the oWASP criteria. Our product development program is currently expanding to include additional information security features and adoption of additional recommendations provided in the Australian Signals Directorate (ASD) standard to further improve the robust security offered by our Product Suite. In our latest software version, Aurion 11, we are implementing additional controls and features to ensure maximum protection from cybersecurity threat for all deployment types. Additionally, our testing program is continually evolving to include additional security testing types to cover all common cybersecurity scenarios and risks.
Over the coming months in this security series, Aurion will be providing further information about these changes, and additional insight into optimal security practice and measures that can be implemented to reduce risk, such as the implementation of SSL and other deployment strategies designed to minimise exposure to common cybersecurity attacks.
Keep up-to-date with more articles like this
Subscribe to our eNewsletter