by

Cyber… a word which is becoming all too popular but it become more pervasive by the day, is a big thing in government. You don’t have to look very far to see it as it’s signposted everywhere. There’s regular stories on the news cycles about breaches of security, hacks, new vulnerabilities and new threat agents. As a government response to the security landscape the Australian Cyber Security Centre (ACSC), under the statutory agency of the Australian Signals Directorate (ASD) provide guidelines, advice and prevention approaches to cyber security threats for the public sector primarily but also collaborates with the private sector. There is a strong need for public sector entities to secure their systems as the data contained within the datasets is of such a sensitive nature and in some instances can have an impact on the threat to life. I believe every effort should be taken to implement secure systems through security by design in a risk management approach rather than implementing multiple tiers of security for the sake of potential impacts.

The main mechanism for security risk management promoted by the ACSC is the Information Security Manual (ISM). The most recent update to the ISM was April 2019. The ISM provides a framework for risk management through the use of controls across an array of areas, ranging from physical security to personnel security to security incident management, mobile device usage and media sanitisation. It’s a very comprehensive list of controls. The ISM manual takes a risk management approach to security, where responsibility is assigned for each control and the assignee accepts the compliance or lack of compliance depending on the outcome of the control. The ASD also provide a useful assessment aid to make it a bit easier to digest the controls and base them on the protective markings from the Attorney-Generals Department (AGD)’s Protective Security Policy Framework (PSPF):

  • O: OFFICIAL (including OFFICIAL:Sensitive)
  • P: PROTECTED
  • S: SECRET
  • TS: TOP SECRET

It is up to each business or public sector agency to verify their data classification requirements against a Business Impact Levels (BIL) guideline to assess the criticality of the data contained within a specific dataset. In the state of Victoria the Business Impact Levels are defined by the Commissioner for Privacy and Data Protection (CPDP), now knows as the Office of Victorian Information Commissioner. OVIC have aligned the BIL to the Victorian Protective Data Security Framework (VPDSF), an extension of the PSPF at federal level. OVIC also have created a BIL web app so people can make a quick assessment on their protective marking requirements. The BIL breaks down the consequences for data compromise into three areas, confidentiality, integrity and availability.

impact-levels
The majority of documents can be marked as OFFICIAL for a baseline level of protection, or those marked as PROTECTED for an increased level of protection. While it is human nature to over-estimate risk it should be noted that doing this when performing an assessment on data classification has knock-on effects, such as security level clearances for data access, the underlying infrastructure capabilities and security controls, application security controls and even data sharing capabilities. A common mistake is over-exaggerating the impact of data compromise but then not being able to use or manage the data in the intended or a functional way, security has over-ridden functionality.

Once the data has been classified with the relevant markings an assessment of the underlying infrastructure and application needs to be carried out. It should be noted that very few service providers can support and maintain infrastructure systems at a level higher than PROTECTED. It is a joint effort between the department and the service provider to ensure that the PROTECTED controls are met.  During this phase it may be necessary to revisit the BIL to reassess certain capabilities. At the time of writing there were only a select number of providers able to support PROTECTED security levels. The list of these providers is managed by the the ACSC under their ASD Certified Cloud Services List (CCSL) which currently includes the following:

Cloud Provider Cloud Service Classification Level
Amazon Amazon Web Services (AWS) PROTECTED*
Dimension Data Protected Government Cloud (PGC) PROTECTED*
Macquarie Government GovZone (Secure Cloud) PROTECTED*
Microsoft Azure PROTECTED*
Microsoft Office365 PROTECTED*
Sliced Tech Gov Cloud Package PROTECTED*
Vault Systems Gov Cloud Package PROTECTED*

The ASD is not just focused on cloud services. They also maintain a list of approved applications, hardware and other devices that have undergone assessment and been deemed to meet the necessary controls. The full list of EPL – Evaluation Products Lists can be found on the ASD portal. The products on the list are recommended for use to build secure systems and networks in accordance with the ISM.

It’s one thing to have controls in place but if it cannot be measured and certified it ultimately has little value. The ASD also runs a certification programs which assesses agency systems based on the ISM. This program is called the Information Security Registered Assessors Program which is better known as IRAP. IRAP assessments are performed by endorsed ICT Security professionals who assess customer environments and platforms based on the implementation of the ISM controls. A decent overview of the process can be found on the IRAP Anatomy of a Cloud Certification document on their website. Prior to engagement with an IRAP assessment it is recommended to complete a statement of applicability (SOA). The SOA defines which entity is responsible for each control, the applicability of the control, whether the control is compliant, non-compliant or not relevant and a reason behind the approach taken to the control. Due to the number of controls it’s quite an undertaking to run through. It is recommended that a SOA is carried out for the infrastructure (networks, storage, compute, gateways etc.), and one for the application itself. The controls that apply to one SOA don’t necessarily apply to the other. The SOA should take a holistic view of the security controls and be carried out in collaboration between relevant service providers, security personnel and application owners. Once the SOA has been completed and the controls actioned (which is no small feat) it is time to call in the IRAP assessor so start the certification process. The IRAP assessor audits the environment,  writes up a report on the status of controls within the environment, leveraging heavily on the completed SOA and and highlights any outstanding controls that must/should be implemented for certification to be granted. It is then up to the company/agency to ensure the outstanding controls are implemented as recommended by the assessor or at a minimum accept the risk of the controls not being place.  Once there controls are implemented or acceptance of risk the certification process can be completed and a submission made to the ASD to grant certification.

It is good to see a governance structure in place to create a consistent approach to security. As with all systems it’s not without its flaws but overall it’s a work in progress and receives regular updates. Far too often we see government initiatives such as this become stagnant and get archived, but that’s not the case with the ASD.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.