Case Studies —

Security Accreditation Documentation

Overview

A major Australian Government Department required assistance in developing security documentation to support their systems security accreditation function, as outlined in the Australian Government Information Security Manual (ISM).  The purpose of this was not only to achieve compliance with the governance elements of the ISM, but also to achieve consistent management of information security risk across various systems, technologies and business system processes. A range of systems were successfully assessed, documented, certified and subsequently accredited.

The north way

north provided guidance on scope, engaged with stakeholders, developed the required security documentation (Security Risk Management Plans, System Security Plans and Statements of Applicability) for the various systems. north is still engaged with this customer and continues to provide these services.

north provided advice not only as to how systems should be scoped, but also how systems could be categorised to support the wider system accreditation framework. This included providing advice as to how existing security controls could be incorporated into scheduled security documentation engagements, and how new information could be captured for effective use across multiple documentation sets.

north worked with various stakeholders to define scope, identify and rate risks, document controls and drive delivery of formally accepted security documents. Our consultants used their advanced skills and experience to identify various risk controls and negotiate acceptance by the stakeholder group. They further briefed the Cyber Security team and executives as to the outcome of the assessments and gained acceptance of the documents for formal inclusion in wider organisational risk management processes. The customer provided their risk assessment schema, and this was used to ensure consistency in the way risks were described across various systems.

Clear communication and reporting were employed to ensure successful completion of deliverables within the required timeframes, whilst maintaining quality to a level required for acceptance of deliverables and to provide a strong basis for further system security assessment.

Outcome

north has delivered system security documentation across various systems, technologies and services that has significantly improved not only the understanding of risk across the Department but has also catalysed the implementation of additional security risk controls to protect systems from unacceptable risks. north continues to provide this service to the customer and delivers a collective capability of skills and experience to assist in the management of security risk across the ICT landscape.