The Australian government is developing a framework for how Australia should best address electronic threats and the US NIST Cybersecurity Framework offers some pointers as to what approach may be best suited for the task.
The Australian Cyber Security Centre (ACSC) has been busy since it was announced in late 2014, with Australia’s first cybersecurity conference, held in Canberra in April, it’s first big event.
The conference, attended by over 700 security experts from Australia and abroad, was well attended, highlighting how critical the issue of cybersecurity has become in Australia in recent years.
There is a strong consensus that cybersecurity plays an important part in ensuring a country’s economic future. This is especially true in Australia. The mining boom is petering out and there’s increased focus on where we are headed as a nation in the next decade.
Cybersecurity will play a pivotal role on the necessary economic transition and while governments have tended to think of national security in terms of military strength, there is now a shifting focus towards ensuring the economic strength of companies and nations through cybersecurity.
It really is that important.
The ACSC draws together Australia’s various national security agencies. There was a recent call, from AISA (Australian Information Security Association) chairman James Turner, to roll these into one body, but that would cause its own problems. Centralisation of security doesn’t work – you need multiple points of view. That is true in the enterprise, and it is true in government.
It’s true that there have been well documented problems of coordination between national security agencies, in a number of countries, but those issues are exactly what the ACSC is designed to address. In security, the efficient coordination of different points of view is preferable to a single point of view.
In a keynote speech at the ACSC conference by Margot McCarthy, Associate Secretary for National Security and International Policy at the Department of Prime Minister and Cabinet, outlined the development of the Government’s Cyber Security Review, which is currently underway.
The review will be released publicly later this year after it has been reviewed by senior government figures. It will be an important document, forming the basis of Australia’s coordinated cybersecurity strategy in the coming years.
So what will it contain? Well, it may draw on the US NIST (National Institute of Standards and technology) Cybersecurity Framework, released in early 2014.
The NIST framework is based on self-accreditation and market self-regulation. This approach has been successful in the US, and is based on organisations’ desire to maintain their reputation and insurance premium standpoint. It comprises three primary components: profile, implementation tiers and a framework core.
The profile component enables organisations to align and improve cybersecurity practices based on their individual business needs, tolerance for risk, and available resources. Organisations create a current profile by measuring their existing programs against the recommended practices in the Framework, then identify a Target Profile to identify the gaps that should be closed to enhance cybersecurity and provide the basis for a prioritised roadmap to help achieve these improvements.
The next component is the implementation tiers, and is similar to a traditional capability maturity model (CMM). Tier 1 is identified as ‘partial’, where risk management is ad hoc; Tier 2 is ‘risk-informed’, where risk management processes are in place but not integrated; Tier 3 is ‘repeatable’, where formal policies for risk management are in place; and Tier 4 is ‘adaptive’, where risk management processes are embedded in culture. The NIST recommends that organisations seeking to achieve an effective, defensible cybersecurity program progress to Tier 3 or Tier 4.
The Framework Core component defines standardised cybersecurity activities, desired outcomes, and applicable references, and is organised by five continuous functions: Identify, Protect, Detect, Respond, and Recover. In effect, it describes the continuous cycle of business processes that constitute effective cybersecurity.
Australia has been lagging behind in acknowledging cybersecurity as a national agenda. With the opening of the Australian Cyber Security Centre and the imminent release of the Government’s review, that will no longer be the case. But things are changing quickly, and there is a danger that policies and legislation will not keep pace with technical developments.
Mandatory disclosure is a start, but it is important that the disclosure be made to the relevant parties. It needs to be fast and actionable and done in a meaningful way, so other organisations can benefit.
Many companies are reluctant to publicly share information about cybersecurity breaches because it may affect their share price or reputation – perhaps one role for the ACSC is to act as a confidential clearing house of such information.
View the original content and more from this author here: http://ift.tt/1OAUuOn
from cyber security caucus http://ift.tt/1NHs3ir
via IFTTT
No comments:
Post a Comment