1 / 21

australian government information technology security manual

Contents. AcknowledgementsName changeThe different versionsHandling and disseminationKeywordsRelationship with the PSMPhasing to the newTemplatesWhere to from here . Acknowledgements. Why the Change of Name?. Reflects the importance of the document, and its alignment with the Protective Security Manual The manual will also be known as

JasminFlorian
Download Presentation

australian government information technology security manual

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Australian Government Information Technology Security Manual Chris Barrett CISSPInformation Security GroupDefence Signals Directorate

    3. Acknowledgements

    4. Why the Change of Name? Reflects the importance of the document, and its alignment with the Protective Security Manual The manual will also be known as “ACSI 33”

    5. Version/Classification

    6. ExampleUNCLASSIFIED version 101. Agencies SHOULD … 103. Agencies MUST …

    7. ExampleSECURITY-IN-CONFIDENCE version 101. Agencies SHOULD … 102. Agencies MUST … 103. Agencies MUST … Text that only appears in the SECURITY-IN-CONFIDENCE version appears is blue.

    8. Handling and Dissemination UNCLASSIFIED Authorised for public release

    9. Handling and Dissemination SECURITY-IN-CONFIDENCE Not to be made available, directly or indirectly, to the public, or to persons not considered to have a need-to-know, unless approved by DSD Approved for release to companies intending to apply for Government business Provision is agency’s responsibility, not DSD’s Readers do not require a security clearance … …but do need to have a need-to-know Transmission and storage in accordance with the PSM and ACSI 33

    10. Primary Distribution Points UNCLASSIFIED DSD’s Internet website(www.dsd.gov.au) SECURITY-IN-CONFIDENCE CD-ROM mail-out Defence Security Authority’s website on the Defence Restricted Network Documents will be released as PDFs

    11. Keywords - Before

    12. Keywords - Now MUST [NOT] Mandatory Non-compliance requires a waiver in accordance with the PSM SHOULD [NOT] Reasons for deviating MUST be documented RECOMMENDED Agencies are encouraged to document their reasons for not following These have been based of RFC 2119These have been based of RFC 2119

    13. Relationship with the PSM The majority of technical content relating to IT security will probably be removed from the PSM. PSM will probably say something like: “IT systems processing Australian Government information must comply with ACSI 33.” Non-compliance with MUSTs and MUST NOTs in ACSI 33 will mean that an agency is not complying with the PSM and therefore requires a waiver

    14. SHOULDs and SHOULD NOTs SHOULD Valid reasons to deviate from the item may exist in particular circumstances, but the full implications need to be considered before choosing a different course SHOULD NOT Valid reasons to implement the item may exist in particular circumstances, but the full implications need to be considered before choosing this course Agencies deviating from a SHOULD or SHOULD NOT, MUST document the reason(s) for doing so

    15. SHOULDs and SHOULD NOTs Does not need to be elaborate The inclusion of a risk management plan is encouraged Demonstrates to the Certification and/or Accreditation Authorities that the issues were properly considered Provides the ability to review past decisions as the threat environment changes Deviations do not require DSD’s approval … … but we’d be happy to discuss or be advised

    16. Phasing to the new These documents have been superseded: ACSI 33 (2000) ACSI 37 ASSRO Supp 1 - Parts A & B DSD Policy Advisory on the use of SSL Gateway Certification Guide will live on …… for now

    17. Phasing to the new Most policies and standards haven’t changed … … too much Agencies are expected to meet ACSI 33 by the end of the 2004

    18. Templates We believe that there is already enough material in the public domain to not warrant DSD creating its own templates We’ve decided to provide links on our website to existing material Agencies are encouraged to adapt them to suit their requirements

    19. Where to from here? Original scope was to consolidate the documents and fix the obvious issues … … in the end, we’ve fixed more than we planned … more work is required We need to continue to review the material and update it as required We need your assistance for this Feedback is important

    20. Updates Will probably be released quarterly e.g. March, June, September, December Important changes will result in more frequent updates Issued only in electronic form at the primary distribution points Will consist of: updated PDFs, and a stand-alone document summarising the changes since the last release Version = classification Release = date of release Version = classification Release = date of release

More Related