The information security framework for the Australian Government is driven by two main documents: the Protective Security Policy Framework (PSPF) owned by the Attorney-General’s Department, and the Information Security Manual (ISM) owned by the Australian Signals Directorate (ASD). Note that the PSPF is actually a set of documents, rather than a single volume like the ISM.
Every information security framework and “best practice” guide to cyber security states that you need “management buy-in”, but why is it important and what does it look like?
What Brush Turkeys Have Taught Me About Information Security
It is that time of year again when a male brush turkey has made my backyard his home, tearing apart vegetation to make his nesting mound. While this is a source of frustration, on the positive side, it has given me new ways to think about information security.
A big part of my job is conducting security audits or assessments of clients. In one assessment, I asked a client for some documentation, in this case a system design document, as is usual practice. I was told “We don’t do documentation just for audits”. Further discussion revealed that the client’s culture was one where documentation was considered unnecessary for many activities, including activities directly related to security. Needless to say, I found many issues with their information security posture.