ISM updated to mandate web API protection

Recent data breaches have put a spotlight on web API vulnerabilities, and in what may not be a coincidence, the Australian Cyber Security Centre has added them to its influential Information Security Manual.

The latest edition of the ISM, published by the ACSC, adds a new control "to ensure clients are authenticated when calling web application programming interfaces that facilitate access to data not authorised for release into the public domain."

In addition, “A new control was added to ensure clients are authenticated when calling web application programming interfaces that facilitate modification of data.”

These controls were not present in the September edition of the ISM.

The ACSC also takes aim at what could be termed “compliance culture”, in particular a set-and-forget attitude to security controls.

Three controls have been revised to make it clear that they should be actively maintained.

• Overseeing cyber security awareness raising: “The existing control relating to overseeing the development and operation of a cyber security awareness raising program was amended to ensure it is also maintained.”
• Trusted insider program: “The existing control relating to the development and implementation of a trusted insider program was amended to ensure it is also maintained.”
• 33 different controls relating to documentation were updated: “Existing controls relating to the development and implementation of cyber security documentation were amended to ensure documentation is maintained throughout its lifetime”.

Another aspect of compliance culture, strategies that exist only as documents, is also highlighted: “The existing control relating to the development and maintenance of a cyber security communications strategy was amended to ensure it is implemented (emphasis added)”.

For the first time, the ISM explicitly draws the burgeoning – and often insecure – world of the Internet of Things into its remit.

“The definition of ICT equipment was amended to explicitly state that ‘smart devices’ are considered ICT equipment and therefore all controls relating to ICT equipment equally apply to smart devices, such as smart televisions and smart fridges”, the change log notes.

The ISM is available here.