Government agencies worried about security standards annoying users and hurting productivity should upgrade to Windows 7, experts say.
(Books image by Horia Varlan, CC2.0)
The finalised Whole-of-Government (WofG) Common Operating Environment Policy released on the Australian Government Information Management Office (AGIMO) blog this week will prevent government users from accessing USB and SATA drives, installing software and viewing network drives.
The standards demand departments limit user access, but doing so on earlier Windows versions, such as XP, imposes either a dramatic lock-down of control or total administrative anarchy.
IBRS analyst Joe Sweeney said that Windows 7 offers tiered control of access rights, so tougher security will not require staff to be completely locked out of their machines.
"It will take quite a bit of time and effort for some departments to lock their systems down, those that do not have a culture of doing so," Sweeney said. "They can use a Windows 7 upgrade to help this if they are smart."
He pointed to technology controls such as AppLocker in Windows 7, which allow partial user permissions to be set.
"It gives more fine-grain control. Partial permissions mean users can change certain parts of the operating system, but not others," Sweeney said. "It can also set applications or versions, so users can install for instance Adobe but no other programs, or a particular version of Adobe Reader but none others. It is a significant change."
Departments should avoid Windows Vista, according to Sweeney, because the controls are not well implemented.
Agencies are mulling Windows 7 roll-outs independently, with Centrelink already on the platform, while the Department of Parliamentary Services recently said it would move to Vista from XP and Medicare is also on the older operating system.
Winners, losers?
While larger departments would already have tight security arrangements in place, smaller tier 3 agencies would not, according to analysts, and it may cost them time and resources to put them into place.
Auditors have been scathing of security-slack departments recently and IBRS analyst James Turner said agencies will continue to fail the tests unless they have the cash to fund projects.
You might be interested in:
Security officers have for years pushed for the level of security contained in the finalised requirements, he said, but many requests have failed to get executive support.
The fiscal pain will be worth it, provided agencies are held accountable for non-compliance, according to Chris Gatford, director of penetration testing firm HackLabs.
"The standards will do well to improve the security practice of agencies — it is good common sense," Gatford said.
"Mandates are very well, but they require penalties for non-compliance, otherwise they are just another piece of paper to be ignored."
The Australian National Audit Office said it does not comment on government policy, but that the report may gel with the broad post-audit security recommendations it occasionally issues to agencies.
Some improvements possible
The policy is lax in its logging requirements, according to Turner. It mandates that agencies must keep logs and recommends a series of broad categories, but it does not demand they review the data.
"They can hand an auditor the logs that they've kept and say 'you look at them'," Turner said.
"It should be required so that auditors can ask to prove they have been reviewed."
The absence of log reviews has been pinned to a litany of data breaches across enterprise and government, which affect organisations of all sizes.
Scott2010au 
Dr_Evil 
Linkedin 
RSS Feeds 
Newsletters 
Alerts
Government agencies face enormous challenges in implementing an effective, efficienct, and managable IT environment. However, there has been a trend within both Government and private industry where IT departments are now more interested in controlling and protecting their IT infrastructure than providing the end users with the services they need.
I've seen IT departments lock down OS's so severley that the functionality becomes near useless, and updates are impossible (eg. "We need to test this for 6 months and drive it through a year of beauracracy before you can have the tools you need to do your job")
Why am I forced to use obsolete 1.44MB floppy drives because DVD drives and USB ports are crippled? Why are email attachements limited to 1.5MB? Just what percentage of work related files fit within those constraints? Sure, there are some valid reasons for this but it shouldn't be at the expense of productivity.
IT departments are becoming a law unto themselves. Many departments have become no more than geeks trying to build the ultimate in controlled IT environments (aka Ivory Towers for all to gaze at in awe) with zero consideration of the tasks end-users have to perform.
Yes the technology is complex and constantly changing, but IT staff have to remember they are there to provide a service to the business not build their little techno empires.
I'll happy admit that you do have a point, and times may have changed since I was around.
Software Developers are typically entitled to a Workstation Dev access, for limited periods, that permits them to do/fix/etc stuff that an IT Dept may not be able to help with --- depending who answers the call.
Windows 7, or rather current versions of Group Policy + Active Directory, do this in a more granular manner.
Hopefully your concerns will be addressed in the 'not to distant future'.