Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

3 Ways to Navigate the Challenges of Australian IRAP Assessments

Compliance is a cornerstone for organisations, especially in countries such as the United States.

One would expect that mature US-based organisations would be well-versed in navigating compliance-based frameworks, ensuring their operations align with established standards. However, when these same US-based organisations seek to align their systems with the Australian Government, a challenging mindset shift is often required to adhere to a more risk-focused approach.

The Australian Government uses the Information Security Manual (ISM) as its “cornerstone” for developing cybersecurity principles to protect systems and data. Although not required as a matter of law for compliance, the ISM holds weight as considered advice by the Australian Signals Directorate (ASD), including when used for conducting security assessments performed by assessors appointed by the ASD.

Assessors registered with the ASD Infosec Registered Assessors Program (IRAP) perform these assessments. These people are required to have an appropriate level of experience as determined by the ASD as well as an understanding of the type of system they are assessing and allow Australian Government customers to validate that appropriate controls are in place for the system being assessed.

In addition, these assessments determine the responsibility model for addressing the requirements of the ISM, including relevant remediation actions and guidance for developing of the system’s plan of action and milestones.

The challenging mindset shift is one that US-based organisations experience when seeking to have their systems assessed by an IRAP assessor, specifically when moving from a compliance-based mentality often found in other cybersecurity frameworks (i.e. SOC2, ISO27K). The following are tips that these organisations can adhere to when going through the IRAP assessment process.

 

When Starting Out, do not Miss the Forest for the Trees

When obtaining evidence from within your organisation for the system being assessed, a general rule of thumb is it is most efficient to collate evidence by ISM guidelines, sections, and topics rather than immediately focusing on individual ISM controls. Although individual controls do require assessing down the track, identifying evidence that can be collated by broader strokes provides clarity on who within your organisation is able to assist in evidence collection and interview discussions with the IRAP assessor. Similarly, this will also help quickly identify entire areas of the ISM that can immediately be determined not applicable to the system, though justification is still required when determining why this is the case with the IRAP assessor.

 

The End Goal is not Perfection, but Understanding Risk

There is often pressure amongst organisations to maximise their adherence to standardised controls within compliance-based frameworks. However, in contrast the value of an IRAP assessment stems from an understanding of the system’s risk profile, as dependent on the security classification of the data managed by that system. Although organisations should still seek to address applicable controls effectively, it is just as important that alternate controls are identified, and business justifications raised for any controls determined not to require implementation.

 

When in Doubt, Ask your IRAP Assessor the Question

The process of undertaking an IRAP assessment can be a daunting task for organisations that have little or no experience with either the assessment process or the ISM.

Although it is within the best interests of an IRAP assessor to clearly indicate expectations and required evidence as part of the assessment, organisations working with assessors should still come prepared with their questions should any doubts arise as to how the ISM guidelines, sections, topics, or even individual controls would be reviewed. The System Hardening guideline, in particular, can be challenging even for the most experienced assessor!

For instance, if there is any ambiguity in the wording of a given control, organisations should seek clarity from their IRAP assessor, ideally earlier within the assessment, to ensure appropriate evidence is provided, in turn preventing potential misunderstandings.

The IRAP assessment process can already prove challenging for Australian-based organisations, and the additional hurdles that US-based organisations need to tackle can be managed by leaning towards a risk-focused approach. By collaborating with IRAP assessors and through sufficient preparation, these challenges can be successfully navigated and help streamline the overall assessment process.

Latest Trustwave Blogs

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More

LockBit Takedown: Law Enforcement Disrupts Operations, but Ransomware Threats Likely to Persist

The news that US, UK, and other international law enforcement agencies disrupted LockBit is welcome, as stopping any threat group activity is always a positive. The unfortunate aspect is this blow...

Read More