MITRE: Analysis of the NIST Mobile Device Security Practice Guide’s Applicability to Australia
In April 2018, MITRE published the ‘Analysis of the NIST Mobile Device Security Practice Guide’s Applicability to Australia’ report. A summary is below:
The Australian Cyber Security Growth Network (AustCyber) contracted with The MITRE Corporation (MITRE) to assess the applicability of the National Institute of Standards and Technology (NIST) Cybersecurity Practice Guide for Mobile Device Security: Cloud and Hybrid Builds (the Practice Guide) to organizations within Australia to consider opportunities for standards harmonization and proactive regulatory reform.
Mobile devices, most frequently in the form of smartphones and tablets, are a key feature of Australia’s society and its business activities—securing those devices and the data they carry is critical. While MITRE has considered the role of government and larger enterprises in this report, considerable attention is paid to small and medium-size enterprises (SMEs) due to their important role in the Australian economy. Many of these organizations have limited operational knowledge of cybersecurity. Australian organizations, and particularly SMEs, need practical advice that helps them understand their need for cybersecurity, along with easily consumable guidelines that is affordable and easy to implement.
MITRE found that the abundance of standards and guidelines available to Australian organizations at both the federal and state/territory level caused confusion around what advice should be adopted. “Cyberaware” organizations are overregulating, doing nothing, or applying a mixture of domestic and international standards for guidelines. The result is inefficient and is a barrier to improving Australia’s cyber resilience. The Australian government can begin to address this issue by taking steps to harmonize the guidelines it provides to industry and other levels of Australian government.
This report is a starting point for Australian government and industry to further examine the existing overlaps and gaps that Australian organizations face in following the multiple cybersecurity requirements and guidelines MITRE found that the Practice Guide is helpful to Australian organizations, including government, because it offers comprehensive standards-based guidelines. The Practice Guide attempts to provide practical, real-world security guidelines that most organizations can adopt on unclassified networks. For smaller organizations, the Practice Guide focuses on the use of cloud architecture on mobile devices, while more mature organizations are given guidelines on the use of hybrid architecture.
MITRE identified the Australian Signals Directorate’s (ASD) Information Security Manual (ISM) and the Essential Eight mitigation strategies as having the most relevance to mobile device security for organizations in Australia, as well as the Office of the Australian Information Commissioner’s (OAIC) guide to securing personal information when considering the recent Privacy Amendment (Notifiable Data Breaches) Act 2017. These three resources were mapped to the Practice Guide to identify overlaps and gaps.
Overall the ISM had the strongest relationship to the Practice Guide, and the gaps identified are largely due to the difference in the intended audience. The Practice Guide was designed for industry, whereas the ISM is focused on defense and federal agencies. The Essential Eight were found to be useful guidelines for mobile device security, with the Practice Guide security characteristics addressing six of the eight Essential Eight strategies. The OAIC guide to securing personal information is also relevant for SMEs concerned about mobile device security, though it also has broader applicability.
In summary, our analysis showed that the Practice Guide provided useful and practical guidelines on the specific issue of mobile device security within the Australian ecosystem. The Practice Guide can be a useful adjunct to the existing set of Australian guidelines and could serve as a preeminent and comprehensive reference for organizations seeking to improve the cybersecurity of mobile devices. Furthermore, the Practice Guide could become even more useful for SMEs with several modifications described at the conclusion of this report. MITRE recommends that AustCyber, a government-funded and industry-facing independent entity, take the lead in facilitating intergovernmental and multistakeholder discussions on cybersecurity standards harmonization both domestically and internationally (the latter is especially relevant for organizations that export and/or have multinational operations), with mobile device security serving as the initial use case because of its broad applicability across both SMEs and larger enterprises.