We spoke with Craig Blackwood, senior cyber security advisor from the Queensland Government Chief Information Office about the current review of the Information Standard 18 and how councils can protect themselves from cyber-attacks.
What is the Information Standard 18?
The IS 18 is a set of minimum requirements that are recommended to create a posture for information security [the approach your business takes to information security] – the posture being - how resilient you are to a variety of cyber-attacks and incidents.
Certain Government agencies like hospitals are required to comply with the requirements. For other government agencies, like local councils, utilities and the university sector - it’s not mandatory.
In an environment where there aren’t dedicated information security staff (which would be the case in smaller councils) having a tool like the IS 18 can be valuable and the adoption of the standard is currently high among Queensland councils.
Why is the standard being reviewed?
The IS18 is currently being reviewed with a view to replacing it with a new information security policy that will take less of a compliance approach and more of a risk based approach to allow agencies to make decisions that are more aligned with their needs and their context. [The review is currently only seeking input from state government agencies].
Is the review in direct response to recent ransomware attacks?
No, it’s a general trend in information security to take more of a risk approach. Compliance based approaches don’t work well in large organisations where different agencies have different risk tolerances and budgets.
What would be the biggest changes from moving from a compliance approach to a risk approach?
One of the notable amendments would be - instead of just having controls like installing anti-malware, organisations would also set control objectives. For example, an objective could be – to create a secure software environment. This allows an agency or organisation to say – we consider ourselves secure for these reasons, and it has been risk assessed and there’s a program in place to manage those risks. There may be a good business case for why organisations might not implement a control and the risk assessment approach gives organisations that flexibility.
In light of the recent ransomware attacks do you have any advice for councils and any practical steps they can take to protect themselves?
The ASD’s Essential Eight * is a useful reference for controls and measures to limit the probably of infection and the impact of infection. From the list, there are some key measures:
1.Use and keep your anti- malware software updated
2.Back up your data
3.Patch your systems (fix vulnerabilities in software applications)
4.Whitelist (only allow selected software applications to run)
5.Organisations are also discouraged from paying a ransom as it doesn’t guarantee you will get your data back and it encourages criminality
Go here to read about the New Petya ransomware: Everything you wanted to know (but were afraid to ask).
Councils can gain access and register for the Queensland Government Chief Information office here:
* The Australian Signals Directorate’s (ASD) Strategies to Mitigate Cyber Security Incidents is a prioritised list of practical actions organisations can take to make their computers more secure.