Using a risk management framework
The risk management framework used by the ISM draws from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37 Rev. 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. Within this risk management framework, the identification of security risks and selection of security controls can be undertaken using a variety of risk management standards, such as International Organization for Standardization (ISO) 31000:2018, Risk management – Guidelines. Broadly, the risk management framework used by the ISM has six steps: define the system, select security controls, implement security controls, assess security controls, authorise the system and monitor the system.
Define the system
Determine the type, value and security objectives for the system based on an assessment of the impact if it were to be compromised.
When embarking upon the design of a system, the type, value and security objectives for the system, based on confidentiality, integrity and availability requirements, should be determined. This will ultimately guide activities such as selecting and tailoring security controls to meet those security objectives and determining the level of residual risk that will be accepted before the system is authorised to operate.
For organisations that handle government information, the Attorney-General’s Department (AGD)’s Protective Security Policy Framework (PSPF) provides guidance within Table 1 (Business Impact Levels tool – Assessing damage to the national interest, organisations or individuals) of their Sensitive and classified information policy to assist in determining the impact of information compromise.
For organisations that do not handle government information, security controls marked as OFFICIAL and OFFICIAL: Sensitive can be used for a baseline level of protection while those marked as PROTECTED can be used for an increased level of protection.
Following the determination of the type and value of a system, along with its security objectives, a description of the system and its characteristics should be documented in the system’s system security plan.
Select security controls
Select security controls for the system and tailor them to achieve desired security objectives.
Each cyber security guideline discusses security risks associated with the topic it covers. Paired with these discussions are security controls that the ACSC considers to provide efficient and effective mitigations based on the security objectives for a system.
While security risks and security controls are discussed in the cyber security guidelines, and act as a security control baseline, these should not be considered an exhaustive list for a specific activity or technology. As such, the cyber security guidelines provide an important input into each organisation’s risk identification and risk treatment activities however do not represent the full extent of such activities.
While the cyber security guidelines can assist with risk identification and risk treatment activities, organisations will still need to undertake their own risk analysis and risk evaluation activities due to the unique nature of each system, its operating environment and the organisation’s risk tolerances.
Following the selection and tailoring of security controls for a system, they should be recorded along with the details of their planned implementation in the system’s system security plan annex. In addition, and as appropriate, security controls should also be recorded in both the system’s incident response plan and continuous monitoring plan.
Implement security controls
Implement security controls within the system and its operating environment.
Once suitable security controls have been identified and agreed upon for a system, they should be implemented. In doing so, the details of their actual implementation, if different from their planned implementation, should be documented in the system’s system security plan annex.
Assess security controls
Assess security controls for the system and its operating environment to determine if they have been implemented correctly and are operating as intended.
In conducting a security assessment, it is important that assessors and system owners first agree to the scope, type and extent of assessment activities, which may be documented in a security assessment plan, such that any risks associated with the security assessment can be appropriately managed. To a large extent, the scope of the security assessment will be determined by the type of system and security controls that have been implemented for the system and its operating environment.
For TOP SECRET systems, including sensitive compartmented information systems, security assessments can be undertaken by ASD assessors (or their delegates). While for SECRET and below systems, security assessments can be undertaken by an organisation’s own assessors or Information Security Registered Assessors Program (IRAP) assessors. In all cases, assessors should hold an appropriate security clearance and have an appropriate level of experience and understanding of the type of system they are assessing.
At the conclusion of a security assessment, a security assessment report should be produced outlining the scope of the security assessment, the system’s strengths and weaknesses, security risks associated with the operation of the system, the effectiveness of the implementation of security controls, and any recommended remediation actions. This will assist in performing any initial remediation actions as well as guiding the development of the system’s plan of action and milestones.
Authorise the system
Authorise the system to operate based on the acceptance of the security risks associated with its operation.
Before a system can be granted authorisation to operate, sufficient information should be provided to the authorising officer in order for them to make an informed risk-based decision as to whether the security risks associated with its operation are acceptable or not. This information should take the form of an authorisation package that includes the system’s system security plan, incident response plan, continuous monitoring plan, security assessment report, and plan of action and milestones.
In some cases, the security risks associated with a system’s operation will be acceptable and it will be granted authorisation to operate; however, in other cases the security risks associated with operation of a system may be unacceptable. In such cases, the authorising officer may request further work, and potentially another security assessment, be undertaken by the system owner. In the intervening time, the authorising officer may choose to grant authorisation to operate but with constraints placed on the system’s use. Finally, if the authorising officer deems the security risks to be unacceptable regardless of any potential constraints on the system’s use, they may deny authorisation to operate until such time that sufficient remediation actions, if possible, have been completed to an acceptable standard.
For TOP SECRET systems, and systems that process, store or communicate sensitive compartmented information, the authorising officer is Director-General ASD or their delegate. While for SECRET and below systems, the authorising officer is an organisation’s CISO or their delegate.
For multinational and multi-organisation systems, the authorising officer should be determined by a formal agreement between the parties involved. While for commercial providers providing services to organisations, the authorising officer is the CISO of the supported organisation or their delegate.
In all cases, the authorising officer should have an appropriate level of seniority and understanding of security risks they are accepting on behalf of their organisation. In cases where an organisation does not have a CISO, the authorising officer could be a Chief Security Officer, a CIO or other senior executive within the organisation.
Monitor the system
Monitor the system, and associated cyber threats, security risks and security controls, on an ongoing basis.
Regular monitoring of cyber threats, security risks and security controls associated with a system and its operating environment, as outlined in a continuous monitoring plan, is essential to maintaining its security posture. In doing so, specific events may necessitate additional risk management activities. Such events may include:
- changes in security policies relating to the system
- detection of new or emerging cyber threats to the system or its operating environment
- the discovery that security controls for the system are not as effective as planned
- a major cyber security incident involving the system
- major architectural changes to the system.
Following the implementation or modification of any security controls as a result of risk management activities, another security assessment should be completed. In doing so, the system’s authorisation package should be updated. This in turn allows the authorising officer to make an informed risk-based decision as to whether the security risks associated with the system’s operation are still acceptable, and whether to grant ongoing authorisation to operate.
Further information on the use of protective markings can be found in AGD’s PSPF, Sensitive and classified information policy, at https://www.protectivesecurity.gov.au/information/sensitive-classified-information/Pages/default.aspx.
Further information on various risk management frameworks and practices can be found in:
- Department of Finance’s, Commonwealth Risk Management Policy, at https://www.finance.gov.au/government/comcover/commonwealth-risk-management-policy
- AGD’s PSPF, Security planning and risk management policy, at https://www.protectivesecurity.gov.au/governance/security-planning-risk-management/Pages/default.aspx
- ISO 31000:2018, Risk management – Guidelines, at https://www.iso.org/standard/65694.html
- ISO Guide 73:2009, Risk management – Vocabulary, at https://www.iso.org/standard/44651.html
- International Electrotechnical Commission 31010:2019, Risk management – Risk assessment techniques, at https://www.iso.org/standard/72140.html
- ISO 27005:2018, Information technology – Security techniques – Information security risk management, at https://www.iso.org/standard/75281.html
- NIST SP 800-30 Rev. 1, Guide for Conducting Risk Assessments, at https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final
- NIST SP 800-37 Rev. 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, at https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final.
The IRAP website lists the range of activities IRAP assessors are authorised to perform. This information is available at https://www.cyber.gov.au/acsc/view-all-content/programs/irap.