In this bonus episode, Cole Cornford chats with Toby Amodio, Chief Information Security Officer at the Department of Parliamentary Services, about the latest update of the Information Security Manual, ahead of its release in early July. The Information Security Manual is a great reference for anyone looking to understand what threats the government is looking to address, and where the cybersecurity community needs to be more vigilant.

Secured by Galah Cyber website

00:00 - Toby Amodio and Cole Cornford start their discussion about the Australian Cyber Security Centre's (ACSC) Information Security Manual (ISM) Control 2023 Updates, focusing initially on the encryption and handling of passwords.

03:38 - Toby highlights a humorous typo on a 30-character limit for "break glass" accounts, which was later corrected by the ACSC.

06:04 - Cole discusses the ISM Control 1171 update which relates to password managers. They explore the pros and cons of using these tools.

09:00 - Toby introduces a change in ISM Control 1492, which now requires password changes only when there are indications of compromise, marking a shift from regular password changes.

11:08 - Cole discusses changes in ISM Control 1428, highlighting how security is shifting towards a more risk-based approach rather than blanket mandates.

14:15 - Toby talks about Control 1371, which emphasises procurement processes and "secure-by-design" practices. However, he also acknowledges the practical challenge of enforcing such a control.

18:43 - Cole and Toby discuss ISM Control 1431 which focuses on scalability in cloud environments. They delve into how most government systems might not be architected to handle dynamic scaling.

25:46 - Toby introduces the concept of continuous real-time monitoring. They debate the removal of Control 1518, which pertains to maintaining a low-bandwidth version of a website as a form of backup.

28:51 - Cole argues against maintaining a low-bandwidth website. He emphasises the need to build more resilient applications that can handle load effectively.

31:42 - Toby and Cole discuss the practical impact of the changes, noting how it creates a competitive vector for businesses and promotes better cultural change in the security space.

33:18 - Toby summarises the overall changes in the ISM guidelines, focusing on the blend of security by design and resilience of websites and external services.

34:51 - Cole shares his viewpoint on why it's better to focus on resilience rather than having a low bandwidth backup.

36:07 - They discuss the potential negative implications of switching to a low-bandwidth version during high load, such as causing alarm and potential reputational damage.

37:41 - Toby and Cole discuss their favourite parts of the updates, appreciating the indirect promotion of better cultural change in security through the ISM.

40:46 - They conclude their conversation, expressing their gratitude to the ACSC for the constant improvement of the ISM document and its value to the cybersecurity community.

Resources

https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism

Mentioned in this episode:

Call for Feedback