Keeping up with the latest updates in cyber security standards is crucial for Managed Service Providers (MSPs) to ensure robust security for both their organisation and their clients. The Australian Signals Directorate (ASD) has recently released significant updates to the Information Security Manual (ISM) in June 2024. Here’s an in-depth look at these changes and their implications for MSPs and their clients needing to meet ISM compliance.
Key ISM Updates Affecting MSPs and Their Clients
Cyber Security Principles
The ISM is organised around four core principles: GOVERN, IDENTIFY, PROTECT, and RESPOND, which structure the guidelines and requirements for a robust cyber security framework.
1. GOVERN Principles
Purpose: GOVERN principles outline the governance-related activities necessary for managing cyber security risks.
Impact on MSPs: MSPs must ensure their governance frameworks include clear security risk management processes for systems, applications, and data. This helps in aligning with regulatory requirements and internal policies.
2. IDENTIFY Principles
Purpose: IDENTIFY principles focus on identifying and documenting assets, risks, and vulnerabilities within the organisation.
Impact on MSPs: MSPs need to accurately identify and document the business criticality of systems, applications, and data. This helps in understanding what needs protection and prioritising security efforts accordingly.
3. PROTECT Principles
Purpose: PROTECT principles define how to safeguard identified assets and ensure their security and integrity.
Impact on MSPs: MSPs should implement robust identity and access management systems, ensure secure administration of systems and data, and design security measures according to business criticality.
4. RESPOND Principles
Purpose: RESPOND principles guide the organisation on how to effectively respond to and recover from cyber security incidents.
Impact on MSPs: MSPs must develop and maintain incident response plans, ensure regular reporting of incidents, and analyse incidents to improve future responses. This ensures minimal disruption and quick recovery in the event of a security breach.
Guidelines for Cyber Security Roles and Incident Management
1. Cyber Security Leadership
Impact: Clients should appoint CISOs who oversee both IT and operational technology (OT), ensuring comprehensive security leadership. Regular reporting to senior executives and boards is now essential.
2. Insider Threat Mitigation
Impact: MSPs must help clients develop insider threat mitigation programs to proactively address internal threats, safeguarding both their infrastructure and their clients’ data.
Procurement, Outsourcing, and System Hardening
1. Supply Chain Risk Management
Impact: Updated controls for IT and OT equipment require MSPs to enhance their procurement processes, ensuring secure sourcing and delivery of technology solutions.
2. Multi-factor Authentication
Impact: MSPs should implement robust multi-factor authentication protocols, preventing unauthorised access and ensuring the security of sensitive client information.
Software Development and Email Security
1. Secure Software Development
Impact: Adopting OWASP standards for mobile and AI application development helps mitigate security risks, providing clients with secure and reliable software solutions.
2. Email Server Transport Encryption
Impact: Ensuring MTA-STS is enabled reinforces secure email communications, protecting both MSP and client data from potential breaches.
Implementing the Changes for MSPs
For MSPs, these changes underscore the need for rigorous cyber security practices and continuous adaptation to evolving standards. Here’s how you can implement these updates to benefit both your organisation and your clients:
- Review and Update Policies: Ensure your organisation’s cyber security policies reflect the new GOVERN, IDENTIFY, PROTECT, and RESPOND principles to maintain ISM compliance.
- Enhance Reporting Mechanisms: Establish regular reporting cycles for your CISO to engage with senior executives, boards, and audit committees, ensuring transparency and accountability.
- Strengthen Authentication Processes: Implement robust multi-factor authentication protocols and disable weaker authentication methods to enhance security.
- Adopt Secure Development Standards: Apply the OWASP standards for mobile and AI application development to mitigate security risks, ensuring your clients receive secure software solutions.
- Educate and Train Staff: Conduct training sessions to ensure all employees understand the new controls and their responsibilities in maintaining security, enhancing overall compliance efforts.
For detailed guidance on implementing these updates, please refer to the full June 2024 ASD ISM changes.
