ISMF Standard 141 Endpoint Protection. OCIO/S4.6 Government standard on cyber security

Transcription

1 ISMF Standard 141 OCIO/S4.6 Gvernment standard n cyber security Prepared by: Office f the Chief Infrmatin Officer Versin: v1.0 Date: 12 September 2014

2 GOVERNMENT STANDARD ON CYBER SECURITY OCIO/S4.6 Cnfidentiality: Public Versin: 1.0 Status: Final Audience: Cmpliance: Creatr: Mandate/Authrity: Original Authrisatin Date: Last Updated and Apprved: Issued: Primary Cntact: SA Gvernment Agencies; Suppliers t SA Gvernment Mandatry Office f the Chief Infrmatin Officer Security and Risk Steering Cmmittee 01 August August September 2014 Nt Applicable Security and Risk Assurance, Office f the Chief Infrmatin Officer, Tel: +61 (8) Cverage: The Suth Australian public authrities required t adhere t this standard are defined in OCIO/F4.1 Gvernment framewrk n cyber security Infrmatin Security Management Framewrk [ISMF]. This standard is intended fr use by Suth Australian Gvernment agencies and suppliers t Gvernment whse cntractual bligatins require them t cmply with this dcument. Reliance upn this plicy r standard by any ther persn is entirely at their wn risk and the Crwn in the right f Suth Australia disclaims all respnsibility r liability t the extent permissible by law fr any such reliance. T attribute this material, cite the Office f the Chief Infrmatin Officer, Gvernment f Suth Australia, ISMF Standard 141. This wrk is licensed under a Creative Cmmns Attributin 3.0 Australia Licence Cpyright Suth Australian Gvernment, Disclaimer OCIO/S4.6 versin 1.0 Page 2 f 10

3 DOCUMENT TERMINOLOGY AND CONVENTIONS The terms that are used in this dcument are t be interpreted as described in Internet Engineering Task Frce (IETF) RFC 2119 entitled Key wrds fr use in RFCs t Indicate Requirement Levels 1. The RFC 2119 definitins are summarised in the table belw. Term Descriptin MUST This wrd, r the terms "REQUIRED" r "SHALL", means that the definitin is an abslute requirement f the specificatin. MUST NOT This phrase, r the phrase SHALL NOT, means that is an abslute prhibitin f the specificatin. SHOULD This wrd, r the adjective "RECOMMENDED", means that there may exist valid reasns in particular circumstances t ignre a particular item, but the full implicatins must be understd and carefully weighed befre chsing a different curse. SHOULD NOT This phrase, r the phrase "NOT RECOMMENDED" means that there may exist valid reasns in particular circumstances when the particular behaviur is acceptable r even useful, but the full implicatins shuld be understd and the case carefully weighed befre implementing any behaviur described with this label. MAY This wrd, r the adjective OPTIONAL, means that an item is truly ptinal. 1 OCIO/S4.6 versin 1.0 Page 3 f 10

4 DOCUMENT CONTROL Dcument lcatin Q:\SecurityRiskAssurance\Plicy Develpment Sub-prgram\Plicy and Standards\ISMF\ISMFv3.2\ Electrnic recrds management infrmatin File Flder Number: OCIO08/0073/0003 Dcument Number: Authr(s) Jasn Caley Anthny Stevens Functin / rle Principal Plicy Adviser, Security and Risk Assurance Senir Analyst, Security and Risk Assurance Release details Versin Date Initial release accmpanying issue f ISMF v September 2014 Distributed t Versin Date Published t September 2014 CLASSIFICATION Cnfidentiality Descriptin Circulatin limit PUBLIC-I2-A1 N harm culd be caused t an rganisatin r individual and n unfair advantage culd be given t any entity and n vilatin wuld ccur t smebdy s right t privacy. Integrity 2 with lw availability requirements. Unrestricted access. OCIO/S4.6 versin 1.0 Page 4 f 10

5 TABLE OF CONTENTS 1. AUTHORITY CONTEXT Backgrund Histry SCOPE TERMS AND ABBREVIATIONS Terms IMPLEMENTATION ISMF Standard Business Cntrls REFERENCES AND LINKS...10 OCIO/S4.6 versin 1.0 Page 5 f 10

6 1. AUTHORITY This dcument states the standard f the Gvernment f Suth Australia with respect t endpint prtectin. Implementatin f this standard supprts the bjectives f ISMF Plicy Statement 18. Plicy Statement 18 Respnsible Parties shall undertake an active rle in prtecting infrmatin assets frm expsure t malicius sftware and scripts including but nt limited t: implementing cntrls t prevent and restrict the prliferatin f virus and trjan sftware, educating persnnel in the risks assciated with the use and/r intrductin f unauthrised sftware prducts, and, where apprpriate, intrducing custm cntrls t detect r prevent its intrductin. 2. CONTEXT 2.1. Backgrund Dependence n infrmatin systems and services means agencies are mre vulnerable t security threats. The intercnnecting f public and private netwrks and sharing f infrmatin resurces increases the difficulty f achieving access cntrl. Reliance n technical means alne t prvide cmprehensive security is unrealistic it needs t be supprted by apprpriate management f Infrmatin Assets. Generally, the weakest pint in any infrmatin system is where the perating envirnment is accessible t users typically via an endpint. Prtecting these endpints requires a cmbinatin f technlgy cntrls (bth hardware and sftware), cmprehensive plicies which utline users respnsibilities, and nging educatin t ensure users (and Business Owners) are aware f the risks, and the threats Histry This standard has n direct predecessrs. It is an evlutin and replacement f the frmer Threat Prtectin Standard (OCIO/S6.8.1 Technlgy Threat Prtectin Infrastructure Threat Prtectin Sftware Standard). Shifting technlgy emphasis frm centralised cmputing and traditinal client-server desktp envirnments t mbile devices (e.g. tablets, smartphnes, prtable PCs) has led t a requirement t cnsider endpints in a variety f situatins. This standard brings t the fre a number f prtectin measures which are derived frm and described within the ISO/IEC cde f practice. OCIO/S4.6 versin 1.0 Page 6 f 10

7 3. SCOPE This standard encmpasses all Gvernment f Suth Australia data and infrmatin. The ISMF and all security Bulletins, Ntificatins and standards issued under it shall apply, unless therwise advised, t all bdies that are: Suth Australian Gvernment public sectr agencies (as defined in the Public Sectr Act 2009), that is, administrative units, bdies crprate, statutry authrities, and instrumentalities f the Crwn. Public sectr agencies are herein referred t as Agencies ; OR Suppliers t the Suth Australian Gvernment r its Agencies that have cntractual cnditins which require cmpliance t the ISMF as described in sectin 2.1 f the ISMF The ISMF and all security Bulletins, Ntificatins and standards issued under it shall apply t: All infrmatin prcessed, stred r cmmunicated by ICT equipment, where that infrmatin is either: Official Infrmatin f the Suth Australian Gvernment r its Agencies; r Infrmatin f which the Suth Australian Gvernment r any f its Agencies has custdy 2 Infrmatin as described abve which Suppliers that have cntractual cnditins that require cmpliance t the ISMF as described in sectin 2.1 f the ISMF hld n behalf f the Suth Australian Gvernment r any its Agencies Anything that acts upn an ICT asset, including creating, cntrlling, validating, and therwise managing the ICT asset thrughut the lifecycle f the asset. 4. TERMS AND ABBREVIATIONS 4.1. Terms Respnsible Party is used in tw cntexts within the ISMF. These are: An Agency the internal t gvernment bdy that retains ultimate respnsibility fr all aspects cvered by the Infrmatin Security Management Framewrk [ISMF] as it relates t a particular agency and its infrmatin assets. A Supplier an external t gvernment entity that is typically respnsible fr cmpliance with the ISMF by way f a cntractual agreement that cntains clauses requiring security f Agency infrmatin and the regulatin f access t an Agency s infrmatin assets. The term Supplier shall be read as Suppliers wh are subject t cntractual cnditins that require them t cmply with the ISMF unless anther intentin is apparent. 2 Nte the definitin f custdy in the ISMF differs frm State Recrds interpretatin. OCIO/S4.6 versin 1.0 Page 7 f 10

8 When a Supplier has cntracted with the State, the prvisins f the ISMF will apply t the Supplier either: under the terms f a Purchasing Agreement fr whle f Gvernment cntracts and assciated Custmer Agreements; r by way f an individual cntract with an Agency whereby the Agency has specified the parts f its Infrmatin Security Management System [ISMS] fr which cmpliance is sught. It shuld be nted that Agency Chief Executives retain ultimate accuntability fr all security matters within their agencies. The applicatin f the ISMF t a Supplier via a cntract with the State r Agency shall nt abslve the Agency frm these bligatins and respnsibilities. Respnsible Parties includes bth Agencies and Suppliers wh are subject t cntractual cnditins that require them t cmply with the ISMF. Where any ambiguity arises between these entities in relatin t adherence t the ISMF, the Agency Cntrls implemented in the Custmer Agreement shall prevail (i.e. The Agency remains the default party and the Custmer Agreement is used as the vehicle fr setting the scpe and requirements fr the Supplier t cmply with either the entirety f the ISMF r part(s) theref. The Custmer Agreement may als intrduce additinal Agency-specific cntrls and plicies that the Supplier must cmply with). Business Owner represents the persn r grup that is ultimately respnsible fr an infrmatin asset. This persn r grup is distinct frm an infrmatin custdian, wh may take respnsibility fr the nging management f the infrmatin (such as a CIO r system administratr). Individual business units shuld wn business critical infrmatin, rather than infrmatin technlgy r infrmatin security departments (they are custdians, nt wners). The manager f the business unit respnsible fr the creatin f any infrmatin and / r the business unit directly impacted by the lss f the infrmatin is usually the Business Owner. A Business Owner r grup f Business Owners must be identified fr each infrmatin asset. Endpint means any device that is the final interface at the edge f a netwrk and directly used, managed r accessed by a persn r persns. These devices may include desktp PCs, laptps, tablets, smartphnes, pint f sale terminals, thin-client terminals, etc. refers t the security measures implemented fr user accessible devices at the edge f a netwrk that may cntain, r prvide access t, infrmatin fr an end user. OCIO/S4.6 versin 1.0 Page 8 f 10

9 5. IMPLEMENTATION 5.1. ISMF Standard 141 Agencies must establish and maintain security measures that ensure prprtinate prtectin f Endpint devices relative t the cnfidentiality, integrity and availability classificatin f infrmatin being accessed r prcessed n such devices Business Cntrls The fllwing general guidance applies regardless f the classificatin levels f the infrmatin assets: S141.1 Respnsible Parties shall deply and maintain apprpriate anti-virus/anti-malware slutins encmpassing Endpint devices (ISMF Standards 54 and 55) S141.2 Respnsible Parties shall maintain the perating system and installed applicatins with relevant patches as prvided by the manufacturer (ISMF Standard 121, Cntrl S134.3) S141.3 Respnsible Parties shuld establish prcedures fr the granting and revcatin f administrative privileges while discuraging their use unless explicitly required (ISMF Standard 78) S141.4 Agencies shuld cnsider implementing applicatin whitelisting, t prevent the use f applicatins that are nt sanctined by the business, have nt been adequately tested r are nt required by the user t perfrm their duties (Cntrl S54.1) S141.5 Agencies shuld remve r therwise disable nn-essential sftware and functinality that are nt required by the user (e.g. autrun, IPv6). Such measures shuld als take int accunt brwser and web navigatin plug-ins. (e.g. Java, Shckwave, Flash etc.) (ISMF Standard 54) S141.6 Agencies shall establish specific cntrls t prevent unauthrised access t mbility devices (ISMF Standard 101) S141.7 Respnsible Parties shuld cnsider additinal cntrls fr unattended equipment (ISMF Standard 82) S141.8 Respnsible Parties shall implement sessin/inactivity timeuts n all Endpint devices (ISMF Standard 97). Additinal cntrls based n DLMs and prtective markings CLASSIFICATION ADDITIONAL CONTROLS [P] Prtected [SC] Sensitive: Cabinet [I4] Integrity 4 S141.9 Endpint devices must nt be cnnected t public internet WiFi htspts (irrespective f whether they are free r fr fee services). S Endpint devices must nt be cnnected t Internet Kisks and ther generally accessible public facilities. OCIO/S4.6 versin 1.0 Page 9 f 10

10 6. REFERENCES AND LINKS ISMF Guideline 18 - Endpint prtectin (incl. smartphnes and prtable devices) OCIO/F4.1 Gvernment f Suth Australia Infrmatin Security Management Framewrk [ISMF] Gvernment f Suth Australia Prtective Security Management Framewrk [PSMF] issued as Premier and Cabinet Circular N. 30 AS/NZS ISO/IEC 27002:2006 Infrmatin Technlgy Security techniques Cde f Practice fr Infrmatin Security Management Applicatin Whitelisting Explained, Australian Signals Directrate, Australian Gvernment, Canberra. This wrk is licensed under a Creative Cmmns Attributin 3.0 Australia Licence Cpyright Suth Australian Gvernment, Disclaimer