Balneus

Australian Lefty on Politics, Governance, Science and Info Management

NOIE reincarnated and poor protection of critical infrastructure

Posted by Dave Bath on 2008-02-05


NOIE (The National Office of the Information Economy), then part of the Department of Communications Information Technology and the Arts, was so incompetent, and provided such useless information to government and businesses, it was dissolved and it’s functions assumed by a new agency within the Department of Finance called AGIMO (Australian Government Information Management Office), which has been doing a good job.

However, the new Department of Broadband Communications and the Digital Economy seems to be a reincarnated NOIE, without much improvement, and is producing documents with DCITA on the front page.

I’ve looked through a document they’ve released (published May 2007), apparently created by tisn.gov.au (Trusted Information Sharing Network for Critical Infrastructure Protecture), with the frontpage title Managing IT Security: When Outsourcing to an IT Service Provider: Guide for Owners and Operators of Critical Infrastructure.  It took me about 5 seconds to find some glaring omissions.

It is full of motherhood statements, lists a few links to authoritative industry bodies and relevant Australian standards, but has no pointers to AGIMO, nor to the minimum requirements (mandated by the Attorney General’s PSM)for information security for all agencies and subcontractors defined by DSD (Defence Signals Directorate), known affectionately to any competent Australian IT professional as ACSI-33.  (More critical things use tighter versions of ACSI-33 that are classified).

It doesn’t even mention the PSM (the Protective Security Manual), which not only describes the requirements to satisfy IT security, but security for infrastructure, people, and the details of how investigations into possible breaches of these requirements need to be carried out.

In other words, it points to nothing that senior management can recognize as minimum obligations required for any contract.  Useless!

This document should be withdrawn or radically altered to point to actionable documents rather than waffle.

Those looking after our critical infrastructure ought to be ashamed of themselves – senior managers should be either sacked or re-educated.

This is yet another example of the Howard government knowing NOTHING about achieving actual security – just making noise to frighten the population.

Let’s hope Kevin Rudd can do better!


Notes:

  • To give you an idea of how bad things are, the Chief Security Officer a couple of years ago of a large part of national infrastructure (although not critical in the sense it could be down for a few days) was unable to expand the acronym "PSM", and did not know it’s force.
  • While the PSM states that any waivers of the requirements described in the PSM require signoff by the head of the agency or the minister concerned, such decisions are typically made by middle managers, who simply fail to include the requirements in contracts and specifications of work, and don’t even sign a waiver at their own level!

Advertisements

5 Responses to “NOIE reincarnated and poor protection of critical infrastructure”

  1. Zombinol said

    I could not agree with you more, and further, the Senior Management are not looking after the infrastructure at all, they outsourced the management of most of our critical infrastructure to usually foreign owned companies with defective contracts drawn up by the outsourcing companies.

    Also I wonder how Federal and State government contracts should sight, that if say the Tax department or Department of Justice IT systems were to be managed by American outsourcing companies; that under the US Patriot Act, are required to identify potential “Terrorists” and their activity by scrutinising the system they manage, in any country they are managing them and report to the US Homeland Security organisations their analysis.

    I can well understand why we don’t have effective security guidance as it might lead to secure a defeat of the scrutinizing.

    Information will become the oil of tomorrow, so if you’ve got it, don’t try to secure it as it will mean that the USA will just force harder to “secure” it.

  2. Dave Bath said

    Zombinol:

    they outsourced the management of most of our critical infrastructure

    The regs are quite explicit in the PSM (and thus inheriting DSD ACSI-33 etc, most probably the more stringent requirements that are not published on the net) that it applies to sub contractors, sub-sub-contractors, sub-sub-sub-contractors, …. I know you know this, but thanks for the support from someone who has specialized in infosec for decades!

    You are right about deficient contract management, but I’d rather say that the more fundamental problem is defective requirements management (probably stemming from most senior managers never having filled in the 3-page “idiots guide form” at the back of AS-4360).

    PS. Information is NOT the oil of tomorrow – we aren’t running out of it any time soon ;-)

    But … as Frank Zappa said:

    Information is not knowledge, knowledge is not wisdom.

  3. Zombinol said

    My analogy to oil is akin to, oil lubricates the machinery of industry, information lubricates the mind.

    Correct, we aren’t running out of it, its just getting harder for people that need it to get it.

  4. […] "NOIE Reincarnated and Poor Protections of Critical Infrastructure" (2008-02-05) which goes over the flaws in some Howard Governments tisn.gov.au (Trusted […]
    (Later submission to the AG review in the pingbacker here)

  5. […] are coming from Conroy’s dbcde.gov.au, which I’ve previously criticized in "NOIE reincarnated and poor protection of critical infrastructure" […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: