Information security management guidelines

brickborderSecurity

Nov 3, 2013 (3 years and 11 months ago)

85 views









Information security management guidelines

Agency cyber security responsibilities when transacting
online with the public









Endorsed by the CSPCC
25 July

2011



Version
1.0





© Commonwealth of Australia 2011

All material presented in this pub
lication is provided under a Creative Commons Attribution 3.0
Australia (
http://creativecommons.org/licenses/by/3.0/au/deed.en

) licence.

For the avoidance of doubt, this means this licence only applies to material as set out in this
document.


The details of the relevant licence conditions are available on the Creative Commons website
(accessible using the links provided) as is the full legal code for

the CC BY 3.0 AU licence

(
http://creativecommons.org/licenses/by/3.0/legalcode

).

Use of the Coat of Arms

The terms under which the Coat of Arms can be used are detailed on the It's an Honour

(
http://www.itsanhonour.gov.au/coat
-
arms/index.cfm
) website.

C
ontact us

Inquiries regarding the licence and any use of this document are welcome at:

Business Law Branch

Attorney
-
General’s Department

3
-
5 National Cct

BARTON ACT 2600

Telephone: (02) 6141 6666

copyright@ag.gov.au



Document details

Security classification

Unclassified

Dissemination limiting marking

None

Date of security classification review

Not applicable

Authority

The Attorney
-
General


Author

Cyber Security Policy and Coordination
Committee (CSPCC)

Docume
nt status

Endorsed by the
25 July
CSPCC







Purpose

This
guideline
aims to
assist
agencies
to understand and
address their responsibilit
y

to
minimise
the risk of harm
to the public
when
transact
ing

online with the Australian Government
.
It
will
also assi
st agencies
to
apply the
Australian Government
’s Cyber Security
Strategy
within their
agency

and provides national leadership by adopting best practice models
.

Scope

The scope of this advice includes:



The public and business

(
including a
ll non
-
Commonwealth

Government external
parties
)
1
.



All Australian Government online services delivered through websites or web services
protocols.



Transactions conducted or facilitated by external parties that either wholly or partially
support Australian Government
service
activities
2
.



T
he public that indirectly access Australian Government service activities through non
-
Commonwealth Government intermediary parties.



Public access to
all
Australian G
overnment
online
services

hosted by

government
or

service providers
.


The sco
pe of

a
dvice
does not include risks specific to
:



e
-
mail
.



R
emovable media

used to facilitate
online
transactions
.

Background

T
he
Australian Government is committed to
maintaining

a
safe,
secure, resilient and trusted
online environment that supports Austral
ia’s national security and maximises the benefits of the
digital economy.



Online services offer
the public
a convenient, efficient and accessible means to access
government services. However, as the demand for online government services continue to
grow,

so too does the scale, sophistication and perpetration of cyber crime

and activities by
malicious actors
.


The Australian Government recognises these threats and identifie
s

cyber security as one of its
top tier national security priorities. As Australia
continues to experience an increase in
cyber
activities
, it is essential for Australian Government agencies
to continue to actively consider the
risks to public
users of Government online services
.




1

For the sake of brevity, the term public used throughout this guideline also encompasses business.

2

Service activities include, but are not limited to, programs, initiatives, grants policy

design etc.



Action required

Agencies should adopt mitigation strategie
s to reduce exposing the public to cyber security risks
when they transact online with government. Firstly, a
gencies
are required
to
assess th
is
risk
.

As
a starting point, agencies should

evaluate

the threat scenarios identified in Annex A in their
assessm
ent and
adopt
applicable
security
controls
for

online services provide
d
. In order to
inform this assessment,
a
gencies
should
consult with the public. Agencies should also consider
using the mitigation strategy examples at Annex B
when
developing their ris
k management plan.


In this context,
Australian Government
a
gencies are
required

to

apply
sound

security risk
management practices in
accordance with

AS/NZS 31000
:2009 and the Australian Standards HB
167/2006 Security Risk Management
. The Australian Govern
ment Protective Security Policy
Framework (GOV
-
6
)

mandates this requirement
.


This guideline will be reviewed in mid 2012 to ensure relevance and application to
Government
online
services.

Further information

Agency b
usiness
area
s
that
provide

online ser
vices
should
seek to maintain an in
-
house IT
security capability that works closely
with the

agency
IT Security
Advis
o
r
(ITSA)
. The
first point of
contact

for an agency to seek advice is the ITSA
.
Each ITSA is expected to maintain awareness of
cyber securi
ty policy and the threat environment.


Additional information on this guideline and the Australian Government Cyber Security Policy
should be directed to:


Protective Security Policy Branch

Attorney
-
General’s Department

3
-
5 National Circuit

BARTON ACT 2600


Email:
pspf@ag.gov.au


Information Security Operations Branch

Defence Signals Directorate

Russell Offices

RUSSELL ACT 2600


Email:
assist@dsd.gov.au





ANNEX A

Potential threat so
urces to the public when transacting with
Australian
G
overnment

agencies

As

online services
and transaction portals continue to evolve,
agencies
should evaluate

the
following
threat
scenarios
:



An attacker masquerades as a legitimate agency website to compr
omise a public user’s
computer,
to
steal their
identity

or
to
scam them into providing financial details
(inc
luding

credit card details).



An agency website is compromised and used to host malicious software
which

subsequently compromises computers used by

the public when they access the website.



An agency website is compromised and used to redirect public users transacting with
the website to another malicious website that subsequently compromises their
computer.



A compromised agency website could result i
n
public users’
username/password details
being stolen and an attacker masquerading as the user to claim
government or other
financial
benefits.



The compromised account details of public users could lead to the compromise of other
websites
,
as
public users

may
use the same details for multiple
government online
accounts.



The compromise of a computer used by the public

could result
:

o

in
their addition

to a botnet to participate

in illegal activities
;

o

in the theft of details for fraud or identity theft purpose
s
;

o

in the blackmail of the user (
where
attackers encrypt hard drive
s

and demand
money for
a
decryption key)
; and

o

in the corruption of the computer and loss of
user
information.



A pattern of
online
requests for personal information that is unusual and not r
outine.



ANNEX B

Suggest
ed actions

to
reduc
e

the risk of harm to the public transact
ing

online with
Australian G
overnment
agencies

In conjunction with their risk assessment, agencies should

evaluate

the following
actions
to
reduce the risk of harm to user
s transacting with government
:




Where “online transaction accounts” are in use
:

o


Agencies should

require users to accept

Account Terms and Conditions prior to
establishing an account

and on the first use of a different computer by the user
.


o

Agencies’ Acco
unt Terms and Conditions should contain a warning that explains
(in simple terms) the specific risks associated with

the use of the online service
and provide det
a
ils of alternate channels for service and/or support
.

o

When
Account Terms and Conditions are u
pdated or amended
,

the
public
user
should
then accept the new details prior to continued use
.

o

A query button

should be linked
to
an agency’s
Privacy Policy page

to provide
further information

to public users
on the
conditions of
acceptance
.

o

Agencies shoul
d not implement transaction

processes that
put

the user at
risk of
unnecessary harm
, for example by
requir
ing

the public user to lower or reduce
their security protection measures
.




When a
public
user elects to download any
non
-
public
information from an

agency
website
:


o

A
n
appropriate

pre
-
download
warning

identifying the potential risk should be in
place



for example,

“Warning: you are about to download information across an
unsecured connection
.


o

Warning
options “Proceed”, “Cancel” or “?”
should be pr
ovided.

o

Agencies
should
also
provide
link
s
to
additional
information

on associated risks,
for example, by including hover information over the question or query mark
noted above.



All Australian Government websites should
:


o

Ensure website statements includ
e a Security Notice and a Disclaimer Notice
.

Agencies should
evaluate
using the Australia.gov.au website as a template for
these notices in consultation with an agency’s legal area.

For example, agencies
should advise the public to report any suspicious or

unauthorised activity related
to an online transaction to the responsible agency.

o

Include a link to government cyber advice:



Protecting Yourself Online


What Everyone Needs to Know
:
http://www.ag.gov.au/www/agd/agd.nsf/Page/CyberSecurity_Protecting
Yourse
lfOnline
-
WhatEveryoneNeedstoKnow



Cybersafety Help Button


online assistance and resources
http://www.dbcde.gov.au/helpbutton



CyberSmart
-

Cyber Safety for kids, teens, parents, libraries, schools
http://www.cybersmart.gov.au





Stay Smart Online

-

Cyber Secu
rity for Australian internet users
http://www.staysmartonline.gov.au



SCAMWatch


online
information
on avoid
ing

and report
ing

scams

http://www.scamwatch.gov.au




CERT Australia
-

Australia’s national computer emergency response team
http://www.cert.gov.au



T
he Australian Government Cyber Security Strategy
http://www.ag.gov.au/cybersecurity



The Australian Federal Police

www.afp.gov.au





Patch
es

for online services (including the maintenance of information
-
only web pages)
and associated web
-
servers
should be ac
tioned as a level 1 priority by the agency’s IT
support
. Delays in patching may create cyber security vulnerabilities for public users.



Online transactions
that
transfer personal details to the government
is to
be done over a
secure connection

and only tra
nsfer required specific details
.



A
gencies should only collect information
from users
necessary for the
delivery of a

service.



A
gencies that use social network
ing

service
s

to interact with the public should carefully
evaluate

privacy and security implicatio
ns when collecting and retaining personal
information as part of
a

service.



Where warranted, agencies may offer or impose higher level security credentials such as
one
-
time passwords, digital certificates or tokens.



Agencies
should

impose restrictions on
or warnings about particular browser versions
that are known to have security weaknesses or are out of date and/or unsupported.



Agencies should notify users about unusual or higher risk online activity on their
account.



Agencies should display the previo
us login
time and
date when a user
next logs in.

If an
agency is implementing a high value or high risk transaction, it may wish to consider
send
ing a follow
-
up
email to the user notify
ing

them that their account has been
accessed with details of the assoc
iated
Internet Protocol (
IP
)

address.



Agencies should analys
e

patterns of online user interactions for unusual activity that
could indicate a security compromise.



Agencies
should
profil
e

user access devices to detect unusual access vectors that could
sugge
st a security compromise.



Agency emails should carry clear messages about what agencies won’t require users to
do on the basis of an email,

for example, requesting the user to provide
sensitive
personal
information
such as

logon credential
s. Agencies
shou
ld also consider providing
advice
,

or links to
,

cyber

security and cyber

safety information.



Agencies should implement a password policy to help users select a secure password.



Agencies should perform a code audit of any web application used on the agency
's web
site, to ensure there are no
security
vulnerabilities

that could be exploited
.



In addition to the measures listed above, agencies
are
to
adhere to the
current
Australian
Government
Information Security Manual
advice o
n

h
ardening of
w
eb
s
ervers and
w
eb
a
pplications

-

http://www.dsd.gov.au/infosec/ism/index.htm