The Information Security Manual (ISM) represents the considered advice of the Australian Cyber Security Centre (ACSC) within the Australian Signals Directorate (ASD). The purpose of the ISM is “to outline a cyber security framework that an organization can apply, using their risk management framework, to protect their systems and data from cyber threats.”
The ISM is intended for:
The ISM functions as a set of cybersecurity principles and guidelines that organizations are advised to follow in order to protect their data. In this blog, we will first provide an overview of the ISM’s cybersecurity principles. We will then take a look at how organizations can follow the ISM guidelines by using data encryption and wiping.
The first section of the ISM consists of a set of cybersecurity principles. The purpose of these principles is to “provide strategic guidance on how an organization can protect their systems and data from cyber threats”.
The ISM’s cybersecurity principles are grouped together into 4 categories: govern, protect, detect, and respond. Here’s a summary of what each principle covers:
The second part of the ISM is a series of in-depth cybersecurity guidelines that are split up into a number of subsections and security controls. The Guidelines for Media chapter outlines security controls that cover the following 4 areas: Media usage, media sanitization, media destruction, and media disposal. The media usage and media sanitization sections, in particular, provide information on the importance of data wiping.
The ‘Media sanitization processes and procedures’ subsection of the Guidelines for Media states: “Using approved methods to sanitize media provides a level of assurance that, to the extent possible, no data will be left following sanitization. The methods described in these guidelines are designed not only to prevent common data recovery practices but also to protect from those that could emerge in the future.” In the same section, Security control ISM-0348 advises: “Media sanitization processes, and supporting media sanitization procedures, are developed and implemented.”
The Guidelines for Media chapter goes on to provide more specific advice for sanitizing volatile and non-volatile types of media. There are also recommendations for sanitizing media before first use, before it is reclassified to a lower sensitivity, and when media is transferred between 2 systems.
Sticking with the ISM’s cybersecurity guidelines, the Guidelines for Cryptography is the chapter that offers organizations advice on using encryption. In the ‘Encrypting data at rest’ subsection, the ACSC recommends that organizations use full disk encryption as “it provides a greater level of protection than file-based encryption.” Another solution for protecting all the data on your hard drive is volume encryption, which we believe is a more secure alternative to full disk encryption.
A list of the encryption algorithms that are approved by the Australian Signals Directorate can be found in the ‘ASD-Approved Cryptographic Algorithms’ section of the Guidelines for Cryptography. The guidelines state: “The only approved symmetric encryption algorithm is Advanced Encryption Standard (AES)”. The AES is used for encrypting data at rest, and is the default encryption algorithm used by BestCrypt Volume Encryption and BestCrypt Container Encryption.
The type of data that needs to be wiped and encrypted will help you decide what kind of software your organization should use. If you have sensitive data on a computer that’s no longer needed, then you should use software that’s able to wipe your entire hard drive. However, if you want to be prepared in the event that one of your devices gets lost or stolen, you should secure the contents of the relevant hard drive by investing in whole disk encryption.
To help your organization comply with the ISM’s recommendations for media sanitization and encryption, GRC360 offers 2 types of software: