The Australian Signals Directorate has published an updated version of its guide designed to help government agencies secure their data.
The updated version of the government’s Information Security Manual was made available yesterday ahead of its formal launch today at the the Australian Cyber Security Centre conference.
“The key changes to the 2015 ISM are the introduction of the Australian Signals Directorate's Certified Cloud Services List (CCSL) and major revisions of security measures to ensure better suitability in a 'cloud first' policy environment,” an ASD spokesperson told Computerworld Australia.
The government in released in October its updated cloud computing policy designed to push increased use of as-a-service options by agencies.
The policy mandates that when obtaining new IT services or replacing existing services, agencies and departments must adopt cloud if it is "fit for purpose, provides adequate protection of data and delivers value for money".
"Data shows there has been only modest use of cloud services by government agencies to date," the policy stated.
"Cloud procurements in AusTender have totalled approximately $4.7 million since July 2010, and the Data Centre as a Service multi-use list has reported cloud contracts totalling approximately $1.5m since October 2012.
"To put this in context, the Australian Government spends approximately $6 billion a year on ICT.
Microsoft’s Azure cloud computing service and Office 365 SaaS offering have been IRAP certified for so-called unclassified but sensitive information by the ASD, as has Amazon Web Services’ EBS, EC2, S3 and Virtual Private Cloud services.
AWS's IRAP assessment was accepted by the ASD yesterday.
The ASD’s certified cloud services list notes other cloud services are undergoing the process to be added to the list.
“The CCSL has been developed to mitigate concerns from government that the security risks of using cloud services may not be easily identified. As the certification authority, ASD will provide a baseline understanding of how a cloud service provider approaches these risks using ASD's and industry's experience,” the ASD spokesperson said.
The ISM has been published in its current format in 2009, according to the ASD. Prior to that ASD's Information Security guidance was published under Australian Communications Security Instruction (ACSI) 33, the agency said.
The updated ISM and CCSL are available from the ASD's website.