In Australia, today’s rapidly evolving Cyber threat landscape demands smarter and more accurate managed cybersecurity and compliance services. When we talk about the compliance system regarding information security, various cyber safety measures come into our minds, but not effective in all cases. In response, the Australian Government has offered a number of tools to assess and mitigate these cybersecurity risks.
Cybersecurity frameworks like the ‘Essential 8’, PCI DSS, ISO 27001, and more have been designed to diagnose these threats, and encourage organisations to adopt the best cybersecurity practices to plan for, and mitigate digital threats while operating online.
Australia’s Cybersecurity Compliance System Explained
Australian’s Cybersecurity Compliance system is very widely leveraged by Cybersecurity specialists. When an organization implements a tailored compliance program that meets an organization’s needs, it establishes an audit system of records to manage and maintain your compliance.
“THE OPPOSITE OF SECURITY IS INSECURITY, AND THE ONLY WAY TO OVERCOME INSECURITY IS TO TAKE RISKS.”
Let’s discuss these proven solutions and services for the full cybersecurity lifecycle for your information security requirements to ensure enterprise solutions for continuous compliance. Ensuring you understand and practice good cybersecurity is the best way to combat cyber threats, and to give your information security management system the context and scope it needs to be extremely effective.
ISO 27001 is an internationally-recognized Information Security Management System that requires your organization to address key areas of your operations and implement policies to ensure that you’re vigilant about protecting sensitive data.
ISO 27001 provides organizations – big and small – with a framework to protect their information, educate their staff about the best practices surrounding information security and instill risk-based thinking when it comes to potential threats to your organization. This framework provides you with the applicable technical, physical, and legal controls of information security. It allows you to prepare a robust policy that addresses potential risks and ensures the integrity of the data you’re protecting.
The process of gaining ISO 27001 certification is not a short one, and in fact, can take some large organizations several years. However, the actual time to final certification varies based on two key variables – your organization’s current state and the efficiency of implementing required controls. Our Best Practice ISO 27001 Lead Implementers have performed extensive implementation plans and have the experience to fast track your organization towards compliance.
PCI DSS Compliance:
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.
The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006, to manage the ongoing evolution of the Payment Card Industry (PCI) security standards focusing on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC, an independent body created by the major payment card brands (Visa, MasterCard, American Express, Discover, and JCB.). It is important to note that the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.
The PCI DSS applies to ANY organization, regardless of size or number of transactions, that accepts, transmits, or stores any cardholder data. The current PCI DSS documents can be found on the PCI Security Standards Council website
Information Security Manual:
The purpose of the Australian Government Information Security Manual (ISM) is to outline a cybersecurity framework that organizations can apply, using their risk management framework, to protect their systems and information from cyber threats. The ISM is intended for Chief Information Security Officers (CISOs), Chief Information Officers (CIOs), cybersecurity professionals, and information technology managers.
Organizations are not required, as a matter of law, to comply with the ISM unless legislation, or a direction given under legislation or by some other lawful authority, compels them to comply. Furthermore, the ISM does not override any obligations imposed by legislation or law. Finally, if the ISM conflicts with legislation or law, the latter takes precedence. While the ISM contains examples of when legislation or laws may be relevant for organizations, there is no careful consideration of such issues.
The purpose of the cybersecurity principles within the ISM is to provide strategic guidance on how organizations can protect their systems and information from cyber threats. These cybersecurity principles are grouped into four key activities: govern, protect, detect, and respond. Organizations should be able to demonstrate that the cybersecurity principles are being adhered to within their organization.
I think malware is a significant threat because the mitigation, like antivirus software, hasn’t evolved to a point to really mitigate the risk to a reasonable degree. Kevin Mitnic
ASD Essential Eight:
The Essential Eight is a series of baseline mitigation strategies taken from the Strategies to Mitigate Cyber Security Incidents recommended for organizations by the Australian Government. We’ve covered them in a previous post which you can read here. While no single mitigation strategy is guaranteed to prevent cybersecurity incidents, organizations must implement eight essential mitigation strategies as a baseline.
This baseline, known as the Essential Eight, makes it much harder for adversaries to compromise systems. Furthermore, implementing the Essential Eight proactively can be more cost-effective in terms of time, money, and effort than responding to a large-scale cybersecurity incident.
A: Mitigation Strategies to Prevent Malware Delivery and Execution
Application control prevents the execution of unapproved/malicious programs, including .exe, DLL, scripts (e.g., Windows Script Host, PowerShell, and HTA), and installers.
Why: All non-approved applications (including malicious code) are prevented from executing.
Patch applications, e.g., Flash, web browsers, Microsoft Office, Java, and PDF viewers. Patch/mitigate computers with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest version of applications.
Why: Security vulnerabilities in applications can be used to execute malicious code on systems.
Configure Microsoft Office macro settings to block macros from the internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
Why: Microsoft Office macros can be used to deliver and execute malicious code on systems.
User application hardening. Configure web browsers to block Flash (ideally uninstall it), ads, and Java on the internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers, and PDF viewers.
Why: Flash, ads, and Java are popular ways to deliver and execute malicious code on systems.
B: Mitigation Strategies to Limit the Extent of Cyber Security Incidents
Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing.
Why: Admin accounts are the ‘keys to the kingdom’. Adversaries use these accounts to gain full access to information and systems.
Patch operating systems. Patch/mitigate computers (including network devices) with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest operating system version. Don’t use unsupported versions.
Why: Security vulnerabilities in operating systems can be used to further the compromise of systems.
Multi-factor authentication including for VPNs, RDP, SSH, and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository.
Why: Stronger user authentication makes it harder for adversaries to access sensitive information and systems.
C: Mitigation Strategies to Recover Data and System Availability
Daily backups of important new/changed data, software, and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually, and when IT infrastructure changes.
Why: To ensure information can be accessed following a cybersecurity incident (e.g., a ransomware incident).
Click here for more information on getting Certified to ISO 27001 via e-Auditing or with our team of in-house specialists
The Privacy Act:
The Privacy Act 1988 (Privacy Act) was introduced to promote and protect individuals’ privacy and regulate how Australian Government agencies and organizations with an annual turnover of more than $3 million, and some other organizations, handle personal information.
The Privacy Act includes 13 Australian Privacy Principles (APPs), which apply to some private sector organizations and most Australian Government agencies. These are collectively referred to as ‘APP entities.’ The Privacy Act also regulates the consumer credit reporting system’s privacy component, tax file numbers, and health and medical research.
The main objectives of this Act are:
- To promote the protection of the privacy of individuals.
- To recognize that the protection of the privacy of individuals is balanced with the interests of entities in carrying out their functions or activities.
- To provide the basis for nationally consistent regulation of privacy and the handling of personal information.
- To promote responsible and transparent handling of personal information.
- To facilitate an efficient credit reporting system while ensuring that the privacy of individuals is respected.
- To facilitate the free flow of information across national borders while ensuring that the privacy of individuals is respected.
- To provide a means for individuals to complain about an alleged interference with their privacy.
- To implement Australia’s international obligation in relation to privacy.
APRA CPS 234 Compliance:
APRA is releasing a new prudential standard and updated guidance about information security across all APRA-regulated industries. As technological developments continue to expand, the scope and sophistication of potentially malicious activity against financial institutions will increase. The new requirements and guidance will help regulated entities to manage these risks.
Common governing bodies and individuals with decision-making, approval, oversight, operations, and other information security roles and responsibilities typically include:
- Information security steering/oversight committee
- The risk management committee (Board and management levels).
- Board audit committee.
- Executive management/executive management committee.
- Chief information officer (CIO)/IT manager.
- Chief information security officer (CISO)/IT security manager.
- Information security operations/administration.
- Management (business and IT).
The DISP, managed by the Defence Industry Security Officer (DISO), supports Australian businesses in understanding and meeting their security obligations when engaging in Defence projects, contracts, and tenders.
Benefits of DISP Membership:
- It helps you to get the right security requirements when delivering Defence contracts and tenders.
- It gives you access to Defence security advice and support services.
- It helps you better understand and manage security risks across your business.
- It provides confidence and assurance to Defence and other government entities (either Australian or foreign) when procuring industry members’ goods and services.