ENGAGEMENTS
CYBER RESILIENCE
The client required an independent assessment of the extent to which it reflected mandatory Australian Government Cyber Security controls. We understood how controls were applied to each computing platform and endpoints, and mechanisms for their maintenance. We assessed management's quality assurance and oversight mechanisms. Testing these mechanisms under an appropriate sampling approach allowed us to reach conclusions about the cyber resilience of the client's broader IT environment.
SUPPLY CHAIN ASSURANCE
The client engages with more than 400 individual organisations to deliver government program services nationally, where each service provider representing holds a volume of information about individuals who participate in the programs. A conceptual framework existed, which needed to be further developed so that it could be operationalised in a consistent, repeatable way. We tailored and operated a supply chain assurance methodology for the organisation, developing assessment methodologies, tools and protocols to help the client gain assurance regarding the cyber security posture of its service providers. We operated the framework, assessing cyber security maturity, reporting to the client's Certification and Accreditation Authorities. We later refined the approach by improving the clarity of published reference materials, and expanding the methodology to provide a streamlined assurance pathway for the client's lowest risk suppliers. Based on a unique combination of the ISO 27001 standard and the Australian Government Information Security Manual, the approach effectively assured the client about a large and diverse supply chain, and also served to improve the cyber security maturity of an entire Australian industry sector that includes organisations with billion-dollar turnover as well as sole trader operators in remote regions of Australia.
SUPPORTING ISM's SIX STEP APPROACH
The client operated a complex IT network and key applications designed to capture and report on performance and business data. We rapidly understood the environment and documented the architecture of each application, and the host network. We completed technical security threat and risk assessments over each, and identified the risk mitigation strategies/controls that were already in place. We developed an ISM System Security Plan (Statement of Applicability) for each system and prepared a thorough security documentation and control evidence package ready for an independent security assessor to rapidly approve. We prepared an action plan and roadmap to address identified control gaps, which was subsequently implemented, and the systems ultimately received the required Authority to Operate from the client's Chief Security Officer.
ICT PORTFOLIO GOVERNANCE
Mid-way through a multi-year Strategic Plan, the client sought confidence that delivery of the strategy was appropriately governed and managed such that anticipated outcomes could be achieved. We assessed ICT governance roles and responsibilities, the quality of information reported to the entity's ICT governance board, and the effectiveness of ICT governance overall. We also examined a sample of ICT programs and projects and reviewed enterprise Program Management Office activity to identify opportunities to strengthen the organisation's management approach as well as the extent to which approved approaches were being followed. Recommendations helped to reframe the ICT governance framework, improve CIO:business stakeholder management and communications, and assist the IT division to better deliver future initiatives using an agile approach to application development.