Add to collection(s) Add to saved
  1. Business
  2. Finance
  3. Public Finance

ISMF Standard 141 - Endpoint protection

advertisement 
ISMF
Standard 141
Endpoint Protection
OCIO/S4.6
Government standard on cyber security
Prepared by:
Version:
Date:
Office of the Chief Information Officer
v1.0
12 September 2014
ISMF Standard 141
GOVERNMENT STANDARD ON CYBER SECURITY
OCIO/S4.6 Endpoint Protection
Confidentiality:
Public
Audience:
Compliance:
Creator:
Mandate/Authority:
Original Authorisation Date:
Last Updated and Approved:
Issued:
Primary Contact:
Version:
1.0
Status:
Final
SA Government Agencies; Suppliers to SA Government
Mandatory
Office of the Chief Information Officer
Security and Risk Steering Committee
01 August 2014
01 August 2014
12 September 2014
Not Applicable
Security and Risk Assurance, Office of the Chief Information Officer,
Tel: +61 (8) 8463 4003
Coverage:
The South Australian public authorities required to adhere to this standard are defined in OCIO/F4.1 Government
framework on cyber security – Information Security Management Framework [ISMF].
This standard is intended for use by South Australian Government agencies and suppliers to Government whose
contractual obligations require them to comply with this document. Reliance upon this policy or standard by any
other person is entirely at their own risk and the Crown in the right of South Australia disclaims all responsibility or
liability to the extent permissible by law for any such reliance.
To attribute this material, cite the
Office of the Chief Information
Officer, Government of South
Australia, ISMF Standard 141.
This work is licensed under a Creative Commons Attribution 3.0 Australia
Licence
Copyright © South Australian Government, 2014.
Disclaimer
Endpoint Protection
OCIO/S4.6 version 1.0
Page 2 of 10
ISMF Standard 141
DOCUMENT TERMINOLOGY AND CONVENTIONS
The terms that are used in this document are to be interpreted as described in Internet
Engineering Task Force (IETF) RFC 2119 entitled “Key words for use in RFCs to Indicate
Requirement Levels”1. The RFC 2119 definitions are summarised in the table below.
Term
MUST
MUST NOT
This word, or the terms "REQUIRED" or "SHALL", means that the definition
is an absolute requirement of the specification.
This phrase, or the phrase “SHALL NOT”, means that is an absolute
prohibition of the specification.
SHOULD
This word, or the adjective "RECOMMENDED", means that there may exist
valid reasons in particular circumstances to ignore a particular item, but the
full implications must be understood and carefully weighed before choosing
a different course.
SHOULD NOT
This phrase, or the phrase "NOT RECOMMENDED" means that there may
exist valid reasons in particular circumstances when the particular
behaviour is acceptable or even useful, but the full implications should be
understood and the case carefully weighed before implementing any
behaviour described with this label.
MAY
1
Description
This word, or the adjective “OPTIONAL”, means that an item is truly
optional.
www.ietf.org/rfc/rfc2119.txt?number=2119
Endpoint Protection
OCIO/S4.6 version 1.0
Page 3 of 10
ISMF Standard 141
DOCUMENT CONTROL
Document location
Q:\SecurityRiskAssurance\Policy Development Sub-program\Policy and Standards\ISMF\ISMFv3.2\
Electronic records management information
File Folder Number: OCIO08/0073/0003 – Document Number: 8092515
Author(s)
Function / role
Jason Caley
Principal Policy Adviser, Security and Risk Assurance
Anthony Stevens
Senior Analyst, Security and Risk Assurance
Release details
Initial release accompanying issue of ISMF v3.2.0
Distributed to
Published to http://dpc.sa.gov.au/
Version
Date
1.0
September 2014
Version
Date
1.0
September 2014
CLASSIFICATION

Confidentiality
Description
Circulation limit
PUBLIC-I2-A1
No harm could be caused to an organisation or
individual and no unfair advantage could be
given to any entity and no violation would occur
to somebody’s right to privacy. Integrity 2 with
low availability requirements.
Unrestricted access.
Endpoint Protection
OCIO/S4.6 version 1.0
Page 4 of 10
ISMF Standard 141
TABLE OF CONTENTS
1.
AUTHORITY .................................................................................................. 6
2.
CONTEXT ...................................................................................................... 6
2.1.
2.2.
Background ................................................................................................. 6
History ......................................................................................................... 6
3.
SCOPE .......................................................................................................... 7
4.
TERMS AND ABBREVIATIONS ................................................................... 7
4.1.
5.
IMPLEMENTATION ....................................................................................... 9
5.1.
5.2.
6.
Terms ........................................................................................................... 7
ISMF Standard 141 ...................................................................................... 9
Business Controls ...................................................................................... 9
REFERENCES AND LINKS .........................................................................10
Endpoint Protection
OCIO/S4.6 version 1.0
Page 5 of 10
ISMF Standard 141
1. AUTHORITY
This document states the standard of the Government of South Australia with respect to endpoint
protection. Implementation of this standard supports the objectives of ISMF Policy Statement 18.
Policy Statement 18
Responsible Parties shall undertake an active role in protecting information assets
from exposure to malicious software and scripts including but not limited to:
implementing controls to prevent and restrict the proliferation of virus and trojan
software, educating personnel in the risks associated with the use and/or introduction
of unauthorised software products, and, where appropriate, introducing custom
controls to detect or prevent its introduction.
2. CONTEXT
2.1.
Background
Dependence on information systems and services means agencies are more vulnerable to security
threats. The interconnecting of public and private networks and sharing of information resources
increases the difficulty of achieving access control.
Reliance on technical means alone to provide comprehensive security is unrealistic – it needs to be
supported by appropriate management of Information Assets. Generally, the weakest point in any
information system is where the operating environment is accessible to users – typically via an
endpoint. Protecting these endpoints requires a combination of technology controls (both hardware
and software), comprehensive policies which outline users’ responsibilities, and ongoing education to
ensure users (and Business Owners) are aware of the risks, and the threats.
2.2.
History
This standard has no direct predecessors. It is an evolution and replacement of the former
Threat Protection Standard (OCIO/S6.8.1 Technology Threat Protection – Infrastructure Threat
Protection Software Standard). Shifting technology emphasis from centralised computing and
traditional client-server desktop environments to mobile devices (e.g. tablets, smartphones,
portable PCs) has led to a requirement to consider endpoints in a variety of situations.
This standard brings to the fore a number of protection measures which are derived from and
described within the ISO/IEC 27002 code of practice.
Endpoint Protection
OCIO/S4.6 version 1.0
Page 6 of 10
ISMF Standard 141
3. SCOPE
This standard encompasses all Government of South Australia data and information.
The ISMF and all security Bulletins, Notifications and standards issued under it shall apply,
unless otherwise advised, to all bodies that are:
o
South Australian Government public sector agencies (as defined in the Public Sector Act
2009), that is, administrative units, bodies corporate, statutory authorities, and
instrumentalities of the Crown. Public sector agencies are herein referred to as
“Agencies”; OR
o
Suppliers to the South Australian Government or its Agencies that have contractual
conditions which require compliance to the ISMF as described in section 2.1 of the ISMF
The ISMF and all security Bulletins, Notifications and standards issued under it shall apply to:
o
o
All information processed, stored or communicated by ICT equipment, where that
information is either:

Official Information of the South Australian Government or its Agencies; or

Information of which the South Australian Government or any of its Agencies has
custody2

Information as described above which Suppliers that have contractual conditions
that require compliance to the ISMF as described in section 2.1 of the ISMF hold
on behalf of the South Australian Government or any its Agencies
Anything that acts upon an ICT asset, including creating, controlling, validating, and
otherwise managing the ICT asset throughout the lifecycle of the asset.
4. TERMS AND ABBREVIATIONS
4.1.
Terms
“Responsible Party” is used in two contexts within the ISMF. These are:
2
o
An Agency – the internal to government body that retains ultimate responsibility for all
aspects covered by the Information Security Management Framework [ISMF] as it
relates to a particular agency and its information assets.
o
A Supplier – an external to government entity that is typically responsible for compliance
with the ISMF by way of a contractual agreement that contains clauses requiring security
of Agency information and the regulation of access to an Agency’s information assets.
The term “Supplier” shall be read as “Suppliers who are subject to contractual conditions
that require them to comply with the ISMF” unless another intention is apparent.
Note the definition of “custody” in the ISMF differs from State Records’ interpretation.
Endpoint Protection
OCIO/S4.6 version 1.0
Page 7 of 10
ISMF Standard 141
When a Supplier has contracted with the State, the provisions of the ISMF will apply to the
Supplier either:
o
under the terms of a Purchasing Agreement for whole of Government contracts and
associated Customer Agreements; or
o
by way of an individual contract with an Agency whereby the Agency has specified the
parts of its Information Security Management System [ISMS] for which compliance is
sought.
It should be noted that Agency Chief Executives retain ultimate accountability for all security
matters within their agencies. The application of the ISMF to a Supplier via a contract with the
State or Agency shall not absolve the Agency from these obligations and responsibilities.
“Responsible Parties” includes both Agencies and Suppliers who are subject to contractual
conditions that require them to comply with the ISMF. Where any ambiguity arises between
these entities in relation to adherence to the ISMF, the Agency Controls implemented in the
Customer Agreement shall prevail (i.e. The Agency remains the default party and the Customer
Agreement is used as the vehicle for setting the scope and requirements for the Supplier to
comply with either the entirety of the ISMF or part(s) thereof. The Customer Agreement may
also introduce additional Agency-specific controls and policies that the Supplier must comply
with).
“Business Owner” represents the person or group that is ultimately responsible for an
information asset. This person or group is distinct from an information custodian, who may take
responsibility for the ongoing management of the information (such as a CIO or system
administrator). Individual business units should own business critical information, rather than
information technology or information security departments (they are custodians, not owners).
The manager of the business unit responsible for the creation of any information and / or the
business unit directly impacted by the loss of the information is usually the Business Owner. A
Business Owner or group of Business Owners must be identified for each information asset.
“Endpoint” means any device that is the final interface at the edge of a network and directly
used, managed or accessed by a person or persons. These devices may include desktop PCs,
laptops, tablets, smartphones, point of sale terminals, thin-client terminals, etc.
“Endpoint Protection” refers to the security measures implemented for user accessible
devices at the edge of a network that may contain, or provide access to, information for an end
user.
Endpoint Protection
OCIO/S4.6 version 1.0
Page 8 of 10
ISMF Standard 141
5. IMPLEMENTATION
5.1. ISMF Standard 141
Agencies must establish and maintain security measures that ensure proportionate protection of
Endpoint devices relative to the confidentiality, integrity and availability classification of information
being accessed or processed on such devices.
5.2. Business Controls
The following general guidance applies regardless of the classification levels of the information
assets:
S141.1
Responsible Parties shall deploy and maintain appropriate anti-virus/anti-malware
solutions encompassing Endpoint devices (ISMF Standards 54 and 55)
S141.2
Responsible Parties shall maintain the operating system and installed applications with
relevant patches as provided by the manufacturer (ISMF Standard 121, Control S134.3)
S141.3
Responsible Parties should establish procedures for the granting and revocation of
administrative privileges while discouraging their use unless explicitly required (ISMF
Standard 78)
S141.4
Agencies should consider implementing application whitelisting, to prevent the use of
applications that are not sanctioned by the business, have not been adequately tested or
are not required by the user to perform their duties (Control S54.1)
S141.5
Agencies should remove or otherwise disable non-essential software and functionality that
are not required by the user (e.g. autorun, IPv6). Such measures should also take into
account browser and web navigation plug-ins. (e.g. Java, Shockwave, Flash etc.) (ISMF
Standard 54)
S141.6
Agencies shall establish specific controls to prevent unauthorised access to mobility
devices (ISMF Standard 101)
S141.7
Responsible Parties should consider additional controls for unattended equipment (ISMF
Standard 82)
S141.8
Responsible Parties shall implement session/inactivity timeouts on all Endpoint devices
(ISMF Standard 97).
Additional controls based on DLMs and protective markings
CLASSIFICATION
[P] Protected
ADDITIONAL CONTROLS
S141.9
Endpoint devices must not be connected to public internet
WiFi hotspots (irrespective of whether they are free or for fee
services).
S141.10
Endpoint devices must not be connected to Internet Kiosks
and other generally accessible public facilities.
[SC] Sensitive: Cabinet
[I4] Integrity 4
Endpoint Protection
OCIO/S4.6 version 1.0
Page 9 of 10
ISMF Standard 141
6. REFERENCES AND LINKS
ISMF Guideline 18 - Endpoint protection (incl. smartphones and portable devices)
OCIO/F4.1 Government of South Australia Information Security Management Framework [ISMF]
Government of South Australia Protective Security Management Framework [PSMF] issued as
Premier and Cabinet Circular No. 30
AS/NZS ISO/IEC 27002:2006 Information Technology – Security techniques – Code of Practice
for Information Security Management
Application Whitelisting Explained, Australian Signals Directorate, Australian Government,
Canberra.
This work is licensed under a Creative Commons Attribution 3.0 Australia Licence
Copyright © South Australian Government, 2014.
Disclaimer
Related documents
ISMF Guideline 2 – An approach to risk assessment using the ISMF
ISMF Guideline 2 – An approach to risk assessment using the ISMF
ISMF Guideline 23 - Monitoring and event logs (Word, 1.8MB)
ISMF Guideline 23 - Monitoring and event logs (Word, 1.8MB)
ISMF Guideline 6 – Cyber security in procurement activities (Word
ISMF Guideline 6 – Cyber security in procurement activities (Word
ISMF Guideline 25 - User Access Management
ISMF Guideline 25 - User Access Management
Cyber Security Readiness in Government Through the Development
Cyber Security Readiness in Government Through the Development
Frisch_MWMF11
Frisch_MWMF11
ISMF Guideline 18 - Endpoint protection (including smartphones
ISMF Guideline 18 - Endpoint protection (including smartphones
Real Life examples of Geometry
Real Life examples of Geometry
Infrastructure Strategy
Infrastructure Strategy
ISMF Guideline 37a - Department of the Premier and Cabinet
ISMF Guideline 37a - Department of the Premier and Cabinet
Pearls and Perils of the O-CIO Model Overview
Pearls and Perils of the O-CIO Model Overview
Information Security Management Framework version 3.2.0
Information Security Management Framework version 3.2.0
Download
advertisement