In March 2024, the Australian Cyber Security Centre (ACSC) introduced significant updates to the Information Security Manual (ISM), marking a crucial pivot towards more robust cybersecurity standards. As Managed Service Providers (MSPs) play a pivotal role in securing Australia’s information frontiers, understanding and implementing these changes is paramount. Let’s delve into the key updates and practical approaches to ensure compliance and bolster security.
Embracing Enhanced Enterprise Mobility
The ISM now mandates mobile platforms to complete a Common Criteria evaluation against the Protection Profile for Mobile Device Fundamentals, version 3.3 or later [ISM-1867]. This shift underscores the increasing threats in mobile computing and the need for stringent security measures.
Action for MSPs:
- Audit and Upgrade: Review your and your clients‘ mobile device inventory. Upgrade devices or transition to platforms that comply with version 3.3 or later to safeguard sensitive data effectively.
- Policy Revision: Update your cybersecurity policies to reflect this change, ensuring all stakeholders are aware of the new requirements.
Hardening ICT Equipment Configurations [ISM-1913]
The introduction of a control recommending the development, implementation, and maintenance of approved configurations for ICT equipment echoes the shift towards zero trust principles. This means trust is never assumed, and verification is required from everyone attempting to access resources in the network.
Strategy for Compliance:
- Configuration Baselines: Establish configuration baselines that align with zero trust architecture. Utilise configuration management tools to enforce these settings across your managed environment.
- Regular Audits: Conduct regular audits to ensure the configurations remain in compliance and adjust as necessary based on evolving threats and business needs.
System Hardening Updates
With new controls aimed at hardening operating systems [ISM-1914], user applications [ISM-1915], and server applications [ISM-1916], the ISM guide emphasises a layered approach to security.
Practical Steps:
- Develop Approved Configurations: For each category, create approved configurations that adhere to zero trust security principles.
- Automate Enforcement: Use policy enforcement tools to automate the application of these configurations, ensuring consistency and reducing human error.
Cryptography Changes and Future-Proofing [ISM-0994, ISM-1917]
The ISM update reflects significant changes in cryptography practices, notably the withdrawal of DSA as an approved algorithm and the encouragement to plan for post-quantum cryptographic standards.
Navigating Cryptographic Transitions:
- Educate Your Team: Ensure your technical team understands the implications of moving away from DSA and the importance of preparing for post-quantum cryptography.
- Collaborate with Vendors: Engage with your cryptographic solutions providers to understand their timelines for supporting post-quantum algorithms and plan your transition accordingly.
The ISM March 2024 updates serve as a clarion call for MSPs to elevate their cybersecurity frameworks. By proactively embracing these changes, MSPs can not only ensure compliance but also strengthen their defence against the ever-evolving cyber threat landscape. It’s a journey towards a more secure and resilient digital Australia, with MSPs at the helm steering the course.
FAQs
Q: What is the significance of moving to Protection Profile for Mobile Device version 3.3 or later for mobile platforms? A: This ensures mobile devices are equipped with the latest security features and protections, minimising vulnerabilities and enhancing overall security posture.
Q: How can MSPs effectively implement zero trust principles? A: Begin with identity verification, least privilege access, and micro-segmentation. Educate your team and clients about the principles and incorporate them into your security strategies.
Q: What does the shift towards post-quantum cryptography entail for MSPs? A: It involves preparing for a future where current encryption standards may no longer be secure against quantum computing threats. Stay informed about developments in quantum-resistant algorithms and plan your cryptographic strategy accordingly.
