We’ve compiled a case study that summarises 18 months of very challenging, rewarding and ultimately successful work, guiding the development of an IRAP-compliant information security management practice.
Our client was an international service-provider to governments in Australia and overseas. In order to be able to provide services to the Australian federal government, our client needed to comply with the Australian government’s requirements for protective security and standardised information security practices. These requirements were defined within the Australian government’s SOA.
Our client, being a multinational service-provider for the Australian Government, must comply with the Australian Government’s requirements for protective security and standardised information security practices.
Our client is an established government service provider and so already had an understanding of the value of the information that it managed, and of the importance of information security to the business’ ongoing operations and reputation. Our client was not however familiar with the kind of formalised, system-oriented information security accreditation framework that is required in order to meet Australian Government standards.
DotSec’s main challenge was to define and execute a collaborative program of work that would transform our client’s systems, processes and governance arrangements into a state where they would be certified as compliant with the government’s information security requirements.
Additional challenges included the need for our client to get clarification regarding the nature of the government requirements in some areas. The government-provided Statement of Applicability (SOA) is a subset of the full Information Security Manual (ISM) and Protective Security Policy Framework (PSPF). Some areas of inconsistency or confusion became apparent over the course of the project, and DotSec worked to get clarity on behalf of our client.
Finally, the transformational program of work presented significant coordination and management challenges, particularly the need to meet government deadlines and milestones, while also meeting our client’s budget and resourcing constraints.
DotSec met these challenge in a number of steps:
First, DotSec defined and managed a gap analysis project to identify areas of non-compliance with the set of controls the department had specified in its Statement of Applicability (SOA). The gap analysis report was submitted to the federal government for review
and acceptance.
DotSec presented the SOWs as part of an over-arching project proposal to the company board and executive, and provided detailed explanation in response to a range of technical and budgetary questions.
DotSec addressed challenges relating to the consistency and applicability of the SOA by liaising with the federal government department, seeking clarification, managing risk and assisting our client to understand when, how and why the various controls included in the department-provided SOA were to be implemented.
DotSec was able to assist in these situations, relying on our practical information security expertise, understanding of the ISM and PSPF, and ability to present and discuss issues with both the government department and the client.
Finally, DotSec addressed budget and resource challenges by managing and executing the project, providing expert information security consultancy and project management services over a period of 18 months. The project successfully addressed the identified gaps and the client was able to implement the required security controls within time and budget constraints.
A subsequent audit confirmed the client’s security-control compliance, and resulted in the government’s acceptance of the final IRAP assessment report.
Detailed planning and careful task execution ensured that the project was successful across a range of business units, within the allocated time and cost, and within the constraints of the demanding day-to-day operational pace of the organisation.
Our client successfully complied with over 400 controls from the Australian Government Protective Security Policy Framework (PSPF) and Information Security Manual (ISM). Such a far-reaching program required significant changes to all aspects of the organisation, from business-executive roles and responsibilities, through to changes in business practices, modifications to the organisation’s IT and information security
architecture, and implementation of technical and procedural controls.
DotSec guided the project to a successful outcome whereby these organisational changes were accepted and implemented.
DotSec designed an effective 18-month program of work that included gap-analysis, business process analysis, information-architecture analysis, Statement Of Work definition, project management, risk management, specialist technical guidance, education and mentoring. Furthermore, we assisted the client with meeting the SOA requirements while also meeting aggressive and demanding new-business and business-as-usual goals.
The entire project was completed on time and on budget.
Our client has secured a number of significant outcomes from the project, and these outcomes will continue to benefit the client’s business for years to come:
This case study highlights the value of dotSec’s structured and phased approach to cybersecurity, particularly for organizations with decentralized structures, in particular as we deliver:
dotSec’s ability to work across varied IT infrastructures and deliver consistent evaluations provides a reliable basis for organizations to measure and enhance security maturity, and maturity improvements over time.
Having the same assessors conduct consecutive assessments using identical guidelines and frameworks allowed our client to trust that improvements reflected genuine progress rather than differing methodologies or subjective evaluations.
dotSec’s ability to pivot from standard assessments to incident response demonstrates our capability, experience and readiness to tackle unforeseen challenges in both the testing and assessment, and MSIEM lines of work.
By leveraging group-wide insights, our client can now adopt scalable, cost-effective solutions tailored to their unique structure. This has already happened in the MSIEM space.
DotSec can provide you with experienced specialists who can guide your organisation through the challenging ISM and PSPF maze, and help your organisation to achieve its IRAP-compliance goals.
Our expert infosec architects understand the challenges of the IRAP-compliance process. We are experienced not just in the theory of compliance and assessment, but in the implementation of secure information systems (both in-house and hosted/cloud) for private and government organisations alike.
Our experience, gained over 25 years, ensures that we are able to identify and implement security controls effectively and efficiently.
Get in contact with us now to discuss how improved information security governance can not only achieve your compliance goals, but can also increase customer trust, reduce operational uncertainty and add value to your business.
