Information Security Compliance
Our Defence customer was seeking to achieve IRAP (Information Security Registered Assessors Program) certification for data classified as OFFICIAL: SENSITIVE with the future goal of achieving PROTECTED classification. This relates to the sensitive nature of the work they undertake.
A Stage 1 assessment was completed by a certified IRAP Assessor, who provided a report including a gap analysis on security compliance against the Australian Cyber Security Centre (ACSC) Information Security Manual and the Essential Eight.
The organisation’s Board committed to completing Stage 2 assessment before the end of 2020 to enable application for accreditation.
As the managed service partner for our customer, the Chamonix Infrastructure and Security Services team put forward a proposal based on the Microsoft 365 stack to replace the existing hybrid services and address compliance requirements for handling data up to PROTECTED classification. As part of this, we also sought to improve secure mobile access to business services and data, reducing operational activities required to maintain security compliance. This included the use of platforms available within the stack for hardening endpoint devices and managing secure mobile access to services including Microsoft Intune, Microsoft Defender ATP, Identity Protection, Conditional Access and Microsoft Cloud App Security. Our proposed solution broadly relates to the Zero Trust security model, enabling secure delivery of services to a mobile workforce – https://www.microsoft.com/en-au/security/business/zero-trust.
The Chamonix team worked closely with our customer’s service providers for independent security advice and network services, to plan, design and implement the transition to native cloud services incorporating the security controls required for their systems and services to meet the requirements to pass an IRAP Stage 2 assessment.
To date, we have worked with our customer to transition all business systems and data to cloud native platforms and are in the process of completing the final activities required to decommission remaining hybrid systems. An independent security company was engaged to perform the IRAP Stage 2 assessment for use with digital assets up to OFFICIAL, resulting in a positive recommendation for accreditation. The report included assessment of Essential Eight Maturity with the following findings:
- Application control – Maturity level 3
- Patch applications – Maturity level 3
- Configure Microsoft Office macro settings – Maturity level 3
- User application hardening – Maturity level 3
- Restrict administrative privileges – Maturity level 3
- Patch Operating Systems – Maturity level 3
- Multi-factor authentication – Maturity level 2 (mobile app one-time password tokens for standard accounts accepted as a risk by the business, maturity level 3 compliant physical tokens have been implemented for all privileged accounts)
- Daily backups – Maturity level 3
The IRAP assessor commented that this was one of the highest levels of maturity against the Essential Eight he had come across for comparable organisations.
The assessor also provided a gap analysis report identifying controls required to meet the requirements for handling digital assets with PROTECTED classification. The majority of these controls relate to business policies and processes.
The positive recommendation from the IRAP assessor enables an application for accreditation, certifying the customer has implemented the required cyber security controls from a legislative and compliance perspective, enabling them to continue business operations.
In addition, the customer has successfully transitioned to powerful SaaS platforms that provide:
- Increased productivity for staff working remotely through secure cross-platform mobile access to business services and data
- Advanced collaboration capabilities
- Built-in high availability and disaster recovery to support business continuity
- Advanced cyber security capabilities protecting against modern threats
- Reduced cost and complexity
With the restrictions that came into place with COVID-19, the transition to the Microsoft 365 platforms was of significant benefit, enabling the business to immediately adopt work from home arrangements. The advanced collaboration, audio/video conferencing and online meeting capabilities allowed the business to continue normal business operations with minimal impact.