As correctional facilities adopt an expanding technology platform to improve operations, facility management and correctional education, new modes of risk are continuing to grow. NDY associate Travis Chehab was a featured speaker at the 2015 Prisons Conference where he presented on the Australian Government Information Security Manual (ISM).
1. The Growing Threat to Information Security: A focus on ISM
Prisons 2015, Melbourne
Travis Chehab
t.chehab@ndy.com
www.ndy.com
2. The Threat...
Australian networks face an
unprecedented threat of
malicious activity and loss
of information.
Malicious Actors:
1. State-Sponsored
Attackers
2. Cyber Criminals
3. Issue-Motivated Groups
CSOC
Update,
Cyber
Security
Picture
2013
,
June
2014
4. The Threat...
A new piece of malware is created every 1.5 seconds!
Source:
ISM
-‐
Trend
Micro,
Trend
Micro
Annual
Report:
The
Future
of
Threats
and
Threat
Technologies,
2009.
ISM
-‐
RSA,
Cybercrime
Trends
Report
–
The
Current
State
of
Cybercrime
and
What
to
Expect
in
2011
5. Prison Technology Drivers...
• Reduced rates of recidivism
• PILS
• Energy & Sustainability
• Co/Tr-Gen
• Water Treatment & Recycling Plants
• Lighting control
• System Resilience & Uptime
• Back-up generation and UPS
• N +1 systems / system redundancy
• Streamlining Process & Flexibility
• Centralised control, management, monitoring
and response
Technology
Convergence
The
Integrated
Communica7ons
Network
(ICN)
6. Important Questions
What would a serious cyber security incident cost our organisation?
Who would benefit from having access to our information?
What makes us secure against threats?
Is the behaviour of our staff enabling a strong security culture?
Are we ready to respond to a cyber security incident?
8. ISM Principles Volume
Policy and procedure:
! Information security policy
! Security risk management plan
! System security plan
! Standard operating procedures
! Incident response plan
! Emergency procedures
! Business continuity and disaster recovery plans
9. ISM Controls Volume
‘Applicability’
of
a
control,
i.e.
Classifica7ons
TOP
SECRET
SECRET
CONFIDENTIAL
PROTECTED
GOVERNMENT/UNCLASS
‘Compliance’
language
–
Should
vs.
Must
‘Authority’
and
approval
of
non-‐compliances:
•
DSD
–
Director
DSD
(ASD)
•
AH
–
Agency
Head
•
AA
–
Accredita@on
Authority
Precinct/Facility
Classifica7on...who’s
on
the
other
side
of
the
wall?
•
Non-‐Shared
Government
Facility
•
Shared
Government
Facility
•
Shared
Non-‐Government
Facility
10. ISM Controls Volume
1. Information Security Governance
2. Physical Security
3. Personnel Security
4. Communications Security *
5. Information Technology Security
Control:
1117;
Revision:
0;
Updated:
Nov-‐10;
Applicability:
G,
P,
C,
S,
TS;
Compliance:
should;
Authority:
AA
Agencies
should
use
fibre
op@c
cabling.
What
does
a
‘control’
look
like?
How
do
we
use
controls
and
for
what
project
aspects?
Statement
of
Applicability
(SoA)