ISMF Guideline 1

donkeyswarmMobile - Wireless

Nov 24, 2013 (3 years and 8 months ago)

143 views


OCIO/G4.
1


Government
g
uideline on
c
yber
s
ecurity


ISMF
G
uideline
1


Securing

smart
-
phones and
other
portable
storage d
evices


BACKGROUND

Smart
-
phones and portable storage devices
introduce a number of data protection concerns for
agencies due to the technical capabilities of the devices (e.g. large storage capacity, fast speed of
transfer, easy functionality) combin
ed with them being small, light
-
weight, low cost and of a
portable
nature.


Por
table Storage D
evice
[PSD]
use by public sector employees has grown significantly in recent
years. Consequently, agencies must be aware of the risks associated with the use of these
devices in order to ensure adequate safeguards are in place.


This guideline assists agencies to ensure
portable storage devices are

being used by their
employees are used in a manner that
adequately
protects the agency information assets.



GUIDANCE

Agencies are responsible for developing and implementing policies
and procedures to ensure the
security of mobile devices and other forms of portable telecommunications equipment. Such
policies and procedures will need to account for the unique business risk profile that has been
determined by each business. What is cons
idered ‘acceptable use’ in one agency may not
necessarily be considered acceptable in a different line of business due to the sensitivity of
information involved and/or the findings of a business impact assessment against identified risks.


Agency policies

and procedures must be developed in accordance with the minimum requirements
described in the government’s Information Security Management Framework [ISMF] as outlined in
the tables on the next page
.

The predominate cyber

security standards relating to PS
Ds and
smartphones are ISMF Standards 59, 60, 101 and 131 respectively.








Guideline 1

ISMF
Guideline 1


Government
g
uideline on
c
yber
s
ecurity

Securing smart
-
phones and
oth
er portable storage devices v1.1

Page
2

of
5




Table
1

-

Minimum requirements for Porta
ble Storage Devices (including s
mart
-
phones).

Applicability

Relevant
ISMF
standards, policies or p
rocedures

and

controls

ALL

59

Procedures shall be established for the secure management and
recovery of
Portable Storage Devices
.

S59.1

Responsible Parties must implement the control(s) and should
implement the guidance described in
clause 10.7.1 of the AS/NZS
ISO/IEC 27002
standard
.

S59.2

Where removable storage media is kept off
-
site it should be
physically controlled and restricted to authorised personnel. The
level of control should be equivalent to that applied at the primary
site.

S59.3

Responsible Parties shall
document and implement recovery
procedures for the return of assets including Portable Storage
Devices

as described in
ISMF Standard 28

(Return of Assets).

S59.4

Disposal of storage me
dia should be carried out in line with
ISMF
Standard 60

(Sanitisation and/or disposal of media).

S59.5

Portable Storage Devices

[PSDs] that are to be used outside of the
standard office environment or primary site should be protected
according to classification markings described in this framework. In
general, only Public information should be stored on PSDs in an
unencrypted and/
or non password controlled method. Agencies
must adhere to the requirements described in
ISMF Standard 101

in
such instances.

S59.6

Responsible Parties should implement the techniques described by
controls 0332 to 0336 in the ISM

S59.7

Responsible Parties must implement
controls 0337 and 0338 in the
ISM


Information assets
marked

at or above
:

[SL
C]
Sensitive: Legal or
Commercial

[SM] Sensitive: Medical

[SP]
Sensitive: Personal

[A3] Availability 3

S59.8

When not in use, PSDs or other removable media

containing
backups or other information should be stored in secure rooms or
cabinets on the Responsible Party’s premises.

S59.9

Responsible Parties must implement
controls 0831 and 0832 in the
ISM
.


Information assets
marked

at or above
:

[
FO
U
O
]
Official Use Only

S59.10

PSDs shall be encrypted and/or password protected according to
Agency information security policies

S59.11

If no longer required, the previous contents of any re
-
usable media
that are to be removed from the organization should be securely
Guideline 1

ISMF
Guideline 1


Government
g
uideline on
c
yber
s
ecurity

Securing smart
-
phones and
oth
er portable storage devices v1.1

Page
3

of
5




Applicability

Relevant
ISMF
standards, policies or p
rocedures

and

controls


[SOUO]
Sensitive

[A2] Availability 2

erased using wiping methods described in
pages 1
31

to 1
41

of the
ISM
.

S59.12

Clause 10.7.1b of the AS/NZS ISO/IEC 27002 standard

S59.13

Certain
removable media

should be physically secured during
transportation to off
-
site locations (
ISMF Standard 64
).




Table
2
-

Additional

requirements
specific to m
obility devices such as

smart
-
p
hones
.

Applicability

Relevant ISMF standards, policies or p
rocedures

and controls

ALL

101

Responsible parties shall implement specific controls for the
protection of mobile assets incorporating portable storage devices
and other forms of portable
telecommunications equipment in
recognition of the unique risks these assets introduce.

S101.1

Responsible Parties shall implement formal policies and operating
procedures for the use of portable storage devices in alignment with
the controls and guidanc
e contained in clause 11.7.1 of the AS/NZS
ISO/IEC 27002 standard.

S101.2

Responsible Parties shall comply with agency and whole
-
of
-
government policies, standards and guidelines in circumstances
where portable storage devices are used to process and/or
store
South Australian Government information that contains classification
markings.

S101.3

South Australian Government policies, procedures and standards
pertaining to the use of portable storage devices and the general
requirement to protect
information used in public places should be
included in an agencies information security awareness program.

S101.4

Third parties, including suppliers and temporary or contract
personnel should be informed of agency and whole
-
of
-
government
policies, stand
ards and procedures pertaining to the use of portable
storage devices.

S101.5

Mobile computing devices such as notebooks, tablets and netbooks
should be labelled with a contact name and phone number in case
of loss. Typically the contact name and number
should be generic,
such as the security desk of the responsible party and shall contain
no personally identifiable markings.

S101.6

Users should not be permitted to modify a portable device or the
software on it without authorisation. Installation of sof
tware such as
Guideline 1

ISMF
Guideline 1


Government
g
uideline on
c
yber
s
ecurity

Securing smart
-
phones and
oth
er portable storage devices v1.1

Page
4

of
5




Applicability

Relevant ISMF standards, policies or p
rocedures

and controls

games and entertainment packages should be prohibited.


I
nformation assets
classified at or above
:


[P]

Protected

[I4]

Integrity 4


S101.7


Agencies may deem it inappropriate for information classified at this
level to be storage on portable

equipment that is to be used outside
the office.

S101.8

Strict encryption and user authentication requirements apply for
such information deployed on portable storage devices as
summarised in the
Classification chapter of the ISMF.

I
nformation assets
classified at or above
:


[
FO
U
O
]

Official Use Only

[SOUO] Sensitive



S101.9



Responsible parties should ensure that encryption is enabled on
portable storage devices (to the greatest extent practicable) and that
such encryption is approved for the purpose

as described by the
Australian Government Information Security Manual.

S101.10

Agencies must ensure that portable USB thumb drives (also known
as USB Keys) are encrypted using an approved algorithm as
described on
page 205 of the Australian Government I
nformation
Security Manual

S101.11

Responsible parties should develop procedures and processes to
ensure that
only copies of information

stored on portable storage
devices. Information stored on encrypted devices may be
unrecoverable if passwords and/or cryptographic keys are lost or
otherwise corrupted.


ADDITIONAL CONSIDERATIONS




Agencies should educate their users on the risks associated with using
mobility and
portable
storage devices and help them to understand their requirements in helping to ensure the
confidentiality, integrity and availability of government information asset
s.




Agency developed ‘acceptable use policies’ for information assets will need to consider if
‘bring
-
your
-
own
-
device’ is an appropriate practice, and in the affirmative, will need to
specifically address practic
es and

procedures with personnel’s use of pe
rsonal assets in the
workplace.

(see ISMF Standard 131)




The ‘need
-
to
-
know’ principle must be maintained. Personnel accessing or using official
information and other information assets away from the office must treat those resources with
the same level of
care and discretion as if working in their usual environment.

Particular care
should be taken when communicating
in
public locations. (see ISMF Standard 68)




Portable storage devices and mobility devices should not be connected to any official networks
wit
hout approval. If approval for connection is given, then network authentication credentials
should not be cached locally on the device.




Agencies must implement formal procedures

for the sanitisation and/or secure and safe
disposal of media that is no long
er required, in alignment with the technical controls described
in the
Australian Government ISM
.

(see ISMF Standard 60)



ISMF Guideline 1





Responsible Parties should make their smart
-
phone users aware of the risks associated with
public storage drop boxes and storage spaces. Such areas cannot be considered secured or
secure areas and may be
hosted in foreign jurisdictions and

information may be intercepted in
transit.



This guideline

does not aim to provide the reader with all of the controls
for
smart
-
phone and
mobile device security. It is merely an overview of the information provided in applicable
government cyber security policy and the AS/NZS ISO/IEC 27002 standard. It is
highly

recommended that agencies

review these documents in their entirety. The individual requirements
of agencies will have direct bearing on what measures are implemented to mitigate identified
risk(s).


REFERENCES,
LINKS
& ADDITIONAL INFORMA
TION



OCIO/F4.1 Government of South Australia Information Security Management Framework [ISMF]



AS/NZS ISO/IEC 27002:2006



Code of Ethics for the So
uth Australian Public Sector



Australian Government Information Security Manual [ISM]



Australian Government

Office of the Privacy Commissioner
-

Information Sheet 3



DSD iOS Hardening Configuration Guide



The US National Security Agency security con
figuration guides



Australian Government Protective Security Policy Framework [PSPF]







ID

OCIO_G4.
1

Classification/DLM

PUBLIC
-
I1
-
A1

Issued

February
201
2

Authority

State Chief Information Security
Officer

Master document l
ocation

Q:
\
SecurityRiskAssurance
\
Policy Development Sub
-
program
\
Policy and
Standards
\
ISMF
\
ISMFguidelines
\
ISMFguideline1(smartphones)
.doc
x

Records m
anagement

File Folder: 2011/15123/01

-

Document number: 5817503

Managed & m
aintained by

Office of the Chief Information Officer

Author

Will Luker, Project Officer /

Hannah Wheaton, Graduate Project Officer

Reviewer

Jason Caley
CISM, MACS (CP), IP3P, CRISC, CEA

,
Principal Policy Adviser

Compliance

Discretionary

Review d
ate

February

201
4





To attribute this material, cite the
Office of the Chief Information
Officer
, Government of South
Australia,
ISMF

Guideline
1
.






This work is licensed under a
Creative Commons Attribution 3.0 Australia Licence


Copyright

© South Australian Government,
2012
.

Disclaimer