Compliance is a cornerstone for organisations, especially in countries such as the United States.
One would expect that mature US-based organisations would be well-versed in navigating compliance-based frameworks, ensuring their operations align with established standards. However, when these same US-based organisations seek to align their systems with the Australian Government, a challenging mindset shift is often required to adhere to a more risk-focused approach.
The Australian Government uses the Information Security Manual (ISM) as its “cornerstone” for developing cybersecurity principles to protect systems and data. Although not required as a matter of law for compliance, the ISM holds weight as considered advice by the Australian Signals Directorate (ASD), including when used for conducting security assessments performed by assessors appointed by the ASD.
Assessors registered with the ASD Infosec Registered Assessors Program (IRAP) perform these assessments. These people are required to have an appropriate level of experience as determined by the ASD as well as an understanding of the type of system they are assessing and allow Australian Government customers to validate that appropriate controls are in place for the system being assessed.
In addition, these assessments determine the responsibility model for addressing the requirements of the ISM, including relevant remediation actions and guidance for developing of the system’s plan of action and milestones.
The challenging mindset shift is one that US-based organisations experience when seeking to have their systems assessed by an IRAP assessor, specifically when moving from a compliance-based mentality often found in other cybersecurity frameworks (i.e. SOC2, ISO27K). The following are tips that these organisations can adhere to when going through the IRAP assessment process.
When Starting Out, do not Miss the Forest for the Trees
When obtaining evidence from within your organisation for the system being assessed, a general rule of thumb is it is most efficient to collate evidence by ISM guidelines, sections, and topics rather than immediately focusing on individual ISM controls. Although individual controls do require assessing down the track, identifying evidence that can be collated by broader strokes provides clarity on who within your organisation is able to assist in evidence collection and interview discussions with the IRAP assessor. Similarly, this will also help quickly identify entire areas of the ISM that can immediately be determined not applicable to the system, though justification is still required when determining why this is the case with the IRAP assessor.
The End Goal is not Perfection, but Understanding Risk
There is often pressure amongst organisations to maximise their adherence to standardised controls within compliance-based frameworks. However, in contrast the value of an IRAP assessment stems from an understanding of the system’s risk profile, as dependent on the security classification of the data managed by that system. Although organisations should still seek to address applicable controls effectively, it is just as important that alternate controls are identified, and business justifications raised for any controls determined not to require implementation.
When in Doubt, Ask your IRAP Assessor the Question
The process of undertaking an IRAP assessment can be a daunting task for organisations that have little or no experience with either the assessment process or the ISM.
Although it is within the best interests of an IRAP assessor to clearly indicate expectations and required evidence as part of the assessment, organisations working with assessors should still come prepared with their questions should any doubts arise as to how the ISM guidelines, sections, topics, or even individual controls would be reviewed. The System Hardening guideline, in particular, can be challenging even for the most experienced assessor!
For instance, if there is any ambiguity in the wording of a given control, organisations should seek clarity from their IRAP assessor, ideally earlier within the assessment, to ensure appropriate evidence is provided, in turn preventing potential misunderstandings.
The IRAP assessment process can already prove challenging for Australian-based organisations, and the additional hurdles that US-based organisations need to tackle can be managed by leaning towards a risk-focused approach. By collaborating with IRAP assessors and through sufficient preparation, these challenges can be successfully navigated and help streamline the overall assessment process.
