IRAP Assessed Cloud Collaboration for Federal Government

Objective Corporation
Friday, 01 April, 2022


There is no doubt that we live in interesting times, with global events impacting us on many levels, from the national level right down to the personal level. From an information security standpoint, there has been a heightened concern for some years about the activities of malicious actors, both criminal and state-based, with a severe rise of cyber-attacks on both government and private organisations, including critical infrastructure.

A case in point is the current war in Ukraine. From the leadup to the war until the present, there has been a heightened level of cyber-attack activity emanating from Russia, with the Australian Cyber Security Centre (ACSC) releasing an alert encouraging all Australian organisations to “urgently adopt an enhanced cyber security posture”.[1]

This rise in cyber threat activity is also happening in the course of a global pandemic, which has forced and encouraged organisations everywhere to adopt more remote working, and to take advantage of technology that allows their workers easier access to business information from their homes and mobile devices. In an environment where organisations such as government agencies were already trying to increase efficiencies and improve inter-agency information sharing, the imperative for controlled and secure access to privileged information has increased dramatically.

The risks of remote data access

As organisations locked down during the pandemic, many harnessed VPN technology for remote work. This puts them at risk however, since hackers can easily use malware to exploit security vulnerabilities in VPNs and gain access to the organisation’s ICT infrastructure. This remote access method also provides no control over data that is copied to or from the remote device utilising the VPN, with employee activities being difficult or impossible to control and audit.

Australian federal government agencies need to mitigate risk by ensuring that information classified as PROTECTED is secured when collaborating cross-agency or being accessed remotely by employees. If they are using a method of sharing information that is not IRAP assessed up to the PROTECTED level, it’s not good enough. One simple misjudgement can compromise national security or cause legal, financial, and reputational damages to an agency.

One way of providing controlled and secure access to data that needs to be shared is to utilise a secure cloud service that integrates with the organisation’s document management system, and that can provide the necessary controls over access, sharing, data modification, while providing a complete audit trail of document activity.

ISM and IRAP

The core requirement of the Protective Security Policy Framework issued by the Attorney-General’s Department states that “each entity must ensure the secure operation of their ICT systems to safeguard information and the continuous delivery of government business by applying the Australian Government Information Security Manual's cyber security principles during all stages of the lifecycle of each system.”[2]

The Australian Government Information Security Manual (ISM)[3] outlines a cyber security framework that organisations can apply to protect their ICT systems from cyber threats. The ISM provides guidance on all elements of providing secure ICT infrastructure and services, not only in terms of networking and data security at the hardware and software levels, but also the software development process itself, and the vetting of all staff and procedures involved with their development, maintenance and management.

In order to independently assess whether systems and procedures meet the guidelines of the ISM, the Australian Signals Directorate developed the Infosec Registered Assessors program (IRAP)[4] to allow independent cyber security professionals to provide independent assessment for organisations seeking to achieve a level of trust up to the PROTECTED level.

Government agencies seeking to employ secure file sharing infrastructure for information classified as PROTECTED need to be sure that the system they utilise has been fully IRAP assessed for compliance with the ISM.[5] This provides confidence that the sharing of information in this way can be well controlled and fully audited should the need arise.

Objective Connect has been found to be ‘Highly Compliant’ with the ISM security control requirements at the PROTECTED level by an independent IRAP assessor.

Objective Connect is a fit-for-purpose, secure collaboration solution that is IRAP assessed up to the PROTECTED level. A fully Australian-developed and locally hosted cloud software solution, it is designed from the ground up for ISM compliance. It enables federal government agencies to collaborate with peace of mind knowing their information is protected anytime, anywhere when sharing with external partners and agencies.

In following the ISM guidelines, Objective Connect was able to ensure that it implemented its solution in such a way as to protect and manage PROTECTED level data, and allowed it to pass a full IRAP assessment. To achieve such a certification, Objective Connect needed to be “secure by design” — the entire development process must focus on security from the ground up.

Delivered via tiered technical controls to provide ‘Defence in Depth’ architecture, all data stored by Objective Connect is encrypted with AES-256 encryption at rest and in transit. Additionally all inbound data is virus scanned up to 2GB in size. In addition, the system is subjected to an automated weekly penetration test, and in an independent external penetration test bi-annually.

In addition to ISM compliance, Objective Software’s development process has been fully certified to comply with ISO 9001 and ISO 27001 — the international standard on how to manage information security. All staff directly involved in the development and maintenance of the Objective Connect system follow fully ISO and ISM-aligned procedures, and have all necessary background checks and federal government clearances.

No compromise on ease-of-use

When systems are designed for high security, they often end up being more cumbersome to use. Not so with Objective Connect. It offers seamless integration with Micro Focus Content Manager and Objective ECM, in which users can easily choose what documents can be shared externally and with whom.

Workspaces can be established in seconds, sharing any file up to 10GB with staff, contractors and suppliers. Supported file types include videos, photos, presentations and PDFs among others. Updates can be made in real time via online editing, and for added security, the download of documents to the local machine can be blocked, even when online editing is enabled.

A secure way to share data while maintaining a single source of truth

With Objective Connect, two-way synchronisation ensures everyone is kept up to date. Any file you receive is automatically filed in the correct location, and flagged to ensure your metadata is always accurate. Micro Focus Content Manager and Objective ECM show on-screen prompts, so you know exactly what is being shared externally and who is doing the sharing.

Sensitive data can be shared across agencies and even nations, boosting productivity while maintaining security of your PROTECTED data, applying granular control based on individual use cases, with every action easily examined in a comprehensive, easy-to-use audit facility.

Find out more on how to mitigate risk when sharing Protected information with a solution overview or attend Objective Connect upcoming webinar “IRAP Assessed Cloud Collaboration for Federal Government”.

References

[1] Australian Cyber Security Centre 2020, Australian organisations encouraged to urgently adopt an enhanced cyber security posture, <<https://www.cyber.gov.au/acsc/view-all-content/alerts/australian-organisations-encouraged-urgently-adopt-enhanced-cyber-security-posture>>

[2] Attorney-General’s Department, Protective Security Policy Framework – Information Security, <<https://www.protectivesecurity.gov.au/policies/information-security>>

[3] Australian Cyber Security Centre 2022, Information Security Manual, <<https://www.cyber.gov.au/sites/default/files/2022-03/Information%20Security%20Manual%20%28March%202022%29.pdf>>

[4] Australian Cyber Security Centre 2021, Infosec Registered Assessors Program, <<https://www.cyber.gov.au/acsc/view-all-content/programs/irap>>

[5] Attorney-General’s Department, Protective Security Policy Framework – Policy 11: Robust ICT Systems, <<https://www.protectivesecurity.gov.au/publications-library/policy-11-robust-ict-systems>>

Image credit: ©stock.adobe.com/au/pressmaster

Related Sponsored Contents

Shifting to cloud? Don't leave your documents behind.

Balancing risk with agility for better government services.

How Spatial Data Is Helping Government Plan More Sustainable Communities

Spatial technology company Aerometrex has developed a diverse suite of climate change mitigation...

How physical security can help government organisations navigate a post-COVID world

Genetec has identified four important ways that physical security systems can help government...


  • All content Copyright © 2022 Westwick-Farrow Pty Ltd