Balneus

Australian Lefty on Politics, Governance, Science and Info Management

eSecurity Review

Posted by Dave Bath on 2008-07-15


The Attorney-General’s department is open for submissions (closing 2008-07-31) about Australia’s eSecurity.

Details at http://www.ag.gov.au/esecurityreview, with email submissions to e-securityreview@ag.gov.au

Some details from the terms of references and my initial hasty thoughts over the fold.

Here are snippets from the discussion paper and terms of reference:

… the review encourages you to consider the role of the following key enablers:

  • Supporting policies, procedures and technical standards
  • Education, training and awareness raising
  • Information sharing, including international cooperation
  • Ongoing testing, evaluation and exercises
  • Research and development
  • Legal and law enforcement
  • Physical, administrative and personnel security

You do not need to address all the areas listed above in your submission and you may comment on any other issues that you consider relevant to the terms of reference. The following questions may also assist you in writing your submission:

  • What do you see as being Australia’s top three e-security priorities?
  • What do you believe are the respective roles and responsibilities of government (including State/Territory and local), industry and home users in addressing e-security issues?
  • In what ways could Australia better protect itself against e-security threats and vulnerabilities?
  • What do you consider to be your role in e-security in Australia?

My initial thoughts are….

  • All tenders for information systems (including paper ones!) must explicitly state DSD-ACSI-33 (and the appropriate level) as a requirement.
     
  • DSD to audit requirements documents and be involved in testing for any system nominated as relating to national security, or widely used within government (e.g. databases accessed by more than one agency).
     
  • No system interfacing with critical infrastructure or central authorization/authentication systems to go into production unless DSD gives it a big tick (including things like backup/restore procedures and patch management plans).
     
  • All third-party systems (e.g. those employment services providers that work on behalf of Centrelink) are audited and reviewed just as much as systems running inside government agencies.
     
  • IT security officers within agencies to have the right to veto new systems going into production.

Big hint — keep operating systems and application systems known to have continual security problems out of government… (and this will also improve our trade balance, because of all the money we’ll save by avoiding Microsoft products).


Notes:

  • It’s about time that DSD ACSI 33 was updated – it’s supposed to be updated every 6 months, and the last one released was Sep 2007.
  • Here is an indication of what can happen with poor patch management … with the worst example I know of being the then three-year-old hole in sendmail that let in Chinese CyberAttacks in 2001 (see "What to do when the chips are down" 2007-05-22 and "Cyberwarfare – The Economist catches up to me" 2007-05-25)
  • See "NOIE Reincarnated and Poor Protections of Critical Infrastructure" (2008-02-05) which goes over the flaws in some Howard Governments tisn.gov.au (Trusted Information Sharing Network for Critical Infrastructure Protecture) documents from Mid 2007.  It does look like the ALP is doing more, unless this is another "warm and fuzzy" that they’ll back away from because the increased costs of system deployment (because almost nobody has being paying the costs demanded by security requirements and regulations for years, and almost every system deployed in the last decade will need a major overhaul)… more in a future post.

See Also/Notes:

Advertisements

One Response to “eSecurity Review”

  1. […] open consultations on reforms and reviews, one of which is the eSecurity Review (briefly discussed here on Balneus) that closes in a couple of days (so hurry […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: