Security Principles are the fundamental guidelines and best practices designed to protect information systems and data from threats and vulnerabilities.
The purpose of the cyber security guidelines within the Information security manual (ISM) is to provide practical guidance on how an organization can protect their information technology and operational technology systems, applications and data from cyber threats.
Must be able to implement or support protection for data at-rest and data in-transit, implement data sanitisation controls, ensure secure data sharing and data disposal methods to prevent unauthorised access, disclosure or modification of all instances (including copies, backups and archives) of classified data or documents.
Must be able to provide or support user identity and access management including support for secure authentication methods, Multi-Factor-Authentication (MFA) and strong user account and password policy
Must be able to implement or support Role Based (RBAC) and/or Attribute or Context Based access controls for user access authorisation (privilege management) and provide a method to audit and report on user access and privilege status.
Must provide or support the implementation of a Secure Administration and Privileged User Access Management (PAM) method including for secure remote access methods.
Must provide or support a method for managing and protecting cryptographic keys, certificates, application secrets and service account and cloud tenancy passwords that are used to secure data and platforms.
Must ensure Application Program Interfaces (API’s) incorporate protection controls to safeguard from internal and external threats.
Ensure security measures and practices are implemented to protect mobile applications from threats and vulnerabilities that could compromise the confidentiality, integrity, and availability of the application and its data.
Application and platform components (i.e. web/cloud applications, workstation/server applications, mobile applications and operating systems) must be securely developed, configured, hardened and maintained including authenticating critical inter-component and external connections to prevent unauthorised access or impact from threats.
Database Systems must be protected using industry recommended security controls and hardening practices.
Must be able to provide or support a method to authenticate, validate and control devices connecting to the product or service including mobile devices, personal computing devices and external storage devices.
Must be able to routinely identify technical vulnerabilities of application and platform components and timely apply the necessary security patches and updates and have continuous security awareness and training for staff on threats, product security and good security practices.
Must be able to protect product or service platform and infrastructure components from malware, unauthorised mobile code and other similar threats
Must support continuous logging, auditing and monitoring of crucial application and platform level security events, user events and critical application or data transactions including: - Supporting connectivity to a continuous Security Event Monitoring service (e.g. SIEM); - Having ability to retain and protect audit, system and security logs.
Must have arrangements to respond, contain, investigate and manage security incidents including agreed breach notification procedures
Must be able to meet recovery, service continuity and high-availability/resiliency requirements including establishing recovery objectives and support arrangements to meet operational, regulatory or legal requirements.
Must be able to provide network protection controls and secure communication services such as firewalling, secure gateways, proxy services and wireless network controls (if used) and use network access control lists to protect exposed product or service components from external and internal threats.
Must be able to support a capability to manage technical assets and maintain and validate technical security configuration baselines (for hardware and software on servers, workstations, networks and mobile devices) and must follow controlled change management procedures for applications, platform and network infrastructure.
Web browsers and /or the classified content in Emails or Messaging Services must be protected using industry recommended methods and use secure messaging infrastructure.
Must demonstrate adequate governance and processes in place to manage security risks to data, products and services including threats from sub-contractors, partners and related third-parties.
Must be able to demonstrate adequate Physical Security and Environmental Protection for data and product components.
Ensure the security and integrity of systems and data when integrating different applications or services.
When considering guidelines for file storage, it's essential to focus on both security and efficient management.
Internal Threats | ||
|---|---|---|
| Actors | Motivation | Tactics |
| Malicious Insiders | Revenge, financial gain, ideological reasons. | Data exfiltration, sabotage, privilege abuse. |
| Negligent Employees | Unintentional. | Misconfigurations, weak passwords, accidental sharing. |
| Privileged Users | May be malicious or negligent. | Abuse of elevated access, bypassing controls. |
| Third-Party Contractors/Vendors | Varies—can be negligent or compromised. | Indirect access to systems, weak security practices. |
| System Misconfigurations | Human error or oversight. | Exposed databases, open ports, insecure defaults. |
| Untrained Users | None (accidental). | Clicking phishing links, misusing systems, sharing sensitive data. |
External Threats | ||
| Actors | Motivation | Tactics |
| Cybercriminals | Financial gain through data theft, ransomware, fraud. | Phishing, malware, credential stuffing, exploiting vulnerabilities. |
| Hacktivists | Political or ideological causes. | Website defacement, data leaks, DDoS attacks. |
| Nation-State Actors | Espionage, disruption, intellectual property theft. | Advanced persistent threats (APTs), zero-day exploits, supply chain attacks. |
| Script Kiddies | Thrill, reputation, experimentation. | Use of pre-made tools and exploits with limited understanding. |
| Competitors | Industrial espionage, market advantage. | Insider recruitment, data theft, surveillance. |
| Cyber Terrorists | Cause widespread disruption or fear. | Infrastructure sabotage, data destruction, misinformation campaigns. |
3rd Party Threats | ||
| Actors | Motivation | Tactics |
| Supply Chain Vulnerabilities | Exploited by other actors. | Compromised software updates, insecure third-party services. |
Technological Threats | ||
| Actors | Motivation | Tactics |
| Automated Bots | Data scraping, brute-force attacks, spam. | Credential stuffing, vulnerability scanning. |
| AI-Powered Attack Systems | Sophisticated automation of attacks. | Adaptive phishing, deepfake generation, anomaly detection evasion. |
Physical Threats | ||
| Actors | Motivation | Tactics |
| Natural Disasters | Not applicable. | Data center damage, power outages, hardware loss. |
| OVERALL RISK: to the target system, organization, considering the likelihood of exploitation, business impact and ease of exploitation, among other factors. |
|---|
| Critical: An immediate risk that is easily exploitable and may result in the total compromise of the target system. |
| High: May allow malicious actors with little technical skill to exploit publicly disclosed vulnerabilities or attack system misconfiguration to negatively impact the organization. |
| Medium: Presents some risk to the target system, may allow a malicious actor with high level technical skills to chain multiple vulnerabilities to infiltrate the affected system to gain an initial foothold into the organization. |
| Low: Presents a relatively low threat to the target system and may be utilized by an attacker to obtain insight into application architecture with a view to forming further attacks. |
| Informational: No immediate threat, however, provides information that may be unknown to the organization or to assist in improving the overall security posture. |
| IMPACT: also known as severity or consequence aims to determine the effect that results from exploitation of a vulnerability or flaw. |
|---|
| Severe: Present an immediate risk to the organisation which may have financial, technical, legal or regulatory implications due to system compromise or exposure of company sensitive information. Attackers may read or modify data, execute arbitrary code or escalate privileges. |
| Major: Present a material security risk to the organisation which may have financial, technical or Legal implications to the organisation. |
| Moderate: Present a moderate security risk to the organisation which may lead to financial, technical or legal implications to the organisation. May not lead to direct system compromise or company information disclosure though may allow a malicious actor with high level technical skills to chain multiple vulnerabilities to infiltrate the affected system to gain an initial foothold into the organisation. |
| Minor: Present a low security risk to the organisation and will not have significant financial, technical or legal implications to the organisation. May have the potential to disclose application or system information through misconfiguration which may be utilised by an attacker to obtain insight into application architecture with a view to forming further attacks. |
| Insignificant: No financial, technical or legal implications to the organisation. |
| LIKELIHOOD: reflects how likely it is for a risk to occur. |
|---|
| Certain: Exploitation is certain. |
| Likely: Exploitation is almost certain. |
| Possible: Exploitation is likely to occur. |
| Unlikely: Exploitation is possible but unlikely. |
| Rare: Exploitation is unlikely. |