Security Policies to implement the DSD Top 35

In July 2011, The Australian Defence Signals Directorate (DSD) published an updated list of their Top 35 Mitigation Strategies. This list was based on the analysis of real-world events within the government agencies, and is designed to identify the top set of controls that would have the most impact on reducing actual incidents. The list contains 35 specific controls, with 12 listed as “excellent” at reducing risk and a clear “top 4” controls that could provide the greatest benefit. According to the report:

While no single strategy can prevent this type of malicious activity, the effectiveness of implementing the top four strategies remains unchanged. Implemented as a package, these strategies would have prevented at least 70% of the intrusions that DSD analyzed and responded to in 2009, and at least 85% of the intrusions responded to in 2010.

Information Security Policy Solutions

While these lists are truly valuable, organizations must realize that implementing these controls must be done within the larger context of the information security program.Before being implemented, these controls must (1) also be documented in written security policies and (2) implemented as part of a comprehensive information security program. So while it might be attractive to think that just four controls can mitigate 70% of the vulnerabilities, the reality is that most of these controls require a series of supporting security policies.

Below are the top 4 recommended controls, including some comments regarding security policy support from Information Shield and their placement within the ISO 27002 standard.

1. Patch applications e.g. PDF viewer, Flash Player, Microsoft Office and Java. Patch or mitigate within two days for high risk vulnerabilities. Use the latest version of applications.

Policy Solution: These security policy controls are in the category of both patch management and acceptable use of assets (ISO 7.1.3) , since the controls are referring to software on user devices. Information Security Policies Made Easy addresses this specific requirement, as well as providing 25 other sample security policies relating to the control of end-user devices.

2. Patch operating system vulnerabilities. Patch or mitigate within two days for high risk vulnerabilities. Use the latest operating system version.

Policy Solution: These security policy controls are in the category of vulnerability management (12.6.1 Control of Technical Vulnerabilities) and patch management . To be effective, these policies need to incorporate both change management (ISO 10.1.2 Change Management) and separation of duties (ISO 10.1.3 Segregation of Duties) to mitigate other common insider risks. The PolicyShield Security Policy Subscription provides policy templates to address this specific requirement as well as 50 additional supporting security policies.

3. Minimise the number of users with domain or local administrative privileges. Such users should use a separate unprivileged account for email and web browsing.

Policy Solution: These security policy controls fall into the category of account and privilege management (11.2.2 Privilege management). PolicyShield provides over 100 separate security policy samples dealing this specific requirement, as well supporting security policies for system management and logging of privileged commands.

4. Application whitelisting to help prevent malicious software and other unapproved programs from running e.g. by using Microsoft Software Restriction Policies or AppLocker.

Policy Solution: These security policies are part of a series of controls for controlling malicious software (ISO 10.4 Protection against malicious and mobile code) and for configuration management of end-user systems (ISO 10.1.2). PolicyShield provides a set of 50 separate sample information security policies within these categories.

Conclusion

Any prioritized list of controls is excellent for prioritizing information security efforts an the organization. However, as these reports often point out, these must be implemented together as part of a “defense in depth” program. While considering these controls, it is also important to consider what other controls must be in place to help effectively mitigate the “top 4” without introducing other risks.

Information Shield provides a library of over 2000 sample information security policies designed to implement a comprehensive, documented information security program.