210 likes | 544 Views
Contents. AcknowledgementsName changeThe different versionsHandling and disseminationKeywordsRelationship with the PSMPhasing to the newTemplatesWhere to from here . Acknowledgements. Why the Change of Name?. Reflects the importance of the document, and its alignment with the Protective Security Manual The manual will also be known as
E N D
1. Australian Government Information Technology Security Manual
Chris Barrett CISSPInformation Security GroupDefence Signals Directorate
3. Acknowledgements
4. Why the Change of Name? Reflects
the importance of the document, and
its alignment with the Protective Security Manual
The manual will also be known as “ACSI 33”
5. Version/Classification
6. ExampleUNCLASSIFIED version 101. Agencies SHOULD …
103. Agencies MUST …
7. ExampleSECURITY-IN-CONFIDENCE version 101. Agencies SHOULD …
102. Agencies MUST …
103. Agencies MUST …
Text that only appears in the SECURITY-IN-CONFIDENCE version appears is blue.
8. Handling and Dissemination UNCLASSIFIED
Authorised for public release
9. Handling and Dissemination SECURITY-IN-CONFIDENCE
Not to be made available, directly or indirectly, to the public, or to persons not considered to have a need-to-know, unless approved by DSD
Approved for release to companies intending to apply for Government business
Provision is agency’s responsibility, not DSD’s
Readers do not require a security clearance …
…but do need to have a need-to-know
Transmission and storage in accordance with the PSM and ACSI 33
10. Primary Distribution Points UNCLASSIFIED
DSD’s Internet website(www.dsd.gov.au)
SECURITY-IN-CONFIDENCE
CD-ROM mail-out
Defence Security Authority’s website on the Defence Restricted Network
Documents will be released as PDFs
11. Keywords - Before
12. Keywords - Now MUST [NOT]
Mandatory
Non-compliance requires a waiver in accordance with the PSM
SHOULD [NOT]
Reasons for deviating MUST be documented
RECOMMENDED
Agencies are encouraged to document their reasons for not following These have been based of RFC 2119These have been based of RFC 2119
13. Relationship with the PSM The majority of technical content relating to IT security will probably be removed from the PSM.
PSM will probably say something like:
“IT systems processing Australian Government information must comply with ACSI 33.”
Non-compliance with MUSTs and MUST NOTs in ACSI 33 will mean that an agency is not complying with the PSM and therefore requires a waiver
14. SHOULDs and SHOULD NOTs SHOULD
Valid reasons to deviate from the item may exist in particular circumstances, but the full implications need to be considered before choosing a different course
SHOULD NOT
Valid reasons to implement the item may exist in particular circumstances, but the full implications need to be considered before choosing this course
Agencies deviating from a SHOULD or SHOULD NOT, MUST document the reason(s) for doing so
15. SHOULDs and SHOULD NOTs Does not need to be elaborate
The inclusion of a risk management plan is encouraged
Demonstrates to the Certification and/or Accreditation Authorities that the issues were properly considered
Provides the ability to review past decisions as the threat environment changes
Deviations do not require DSD’s approval …
… but we’d be happy to discuss or be advised
16. Phasing to the new These documents have been superseded:
ACSI 33 (2000)
ACSI 37
ASSRO Supp 1 - Parts A & B
DSD Policy Advisory on the use of SSL
Gateway Certification Guide will live on …… for now
17. Phasing to the new Most policies and standards haven’t changed …
… too much
Agencies are expected to meet ACSI 33 by the end of the 2004
18. Templates We believe that there is already enough material in the public domain to not warrant DSD creating its own templates
We’ve decided to provide links on our website to existing material
Agencies are encouraged to adapt them to suit their requirements
19. Where to from here? Original scope was to consolidate the documents and fix the obvious issues …
… in the end, we’ve fixed more than we planned
… more work is required
We need to continue to review the material and update it as required
We need your assistance for this
Feedback is important
20. Updates Will probably be released quarterly
e.g. March, June, September, December
Important changes will result in more frequent updates
Issued only in electronic form at the primary distribution points
Will consist of:
updated PDFs, and
a stand-alone document summarising the changes since the last release Version = classification
Release = date of release
Version = classification
Release = date of release