Our client employs more than 3,500 staff across 29 locations with significant national critical infrastructure.
Given the complex nature of the client’s systems, they required the development of a security architecture which took into account the ICT environments, as well as Australian Government Information Security Manual (ISM) and the Protective Security Policy Framework (PSPF) considerations.
Many of the systems that were deployed used inconsistent or bespoke security methods, controls and supporting systems, so one of the key aims was to standardise the security model in accordance with the risk profile of the business and mandated guidance (i.e., the ISM and PSPF).
The Security Architecture Project was to develop a detailed description of the security elements that were relevant across The client’ ICT environment, and to use these to form a series of secure patterns to assist in the development of new systems.
Our approach was to develop the security architecture in a highly structured way, to ensure that all requirements and security elements were incorporated and defined. The consultant was placed with the Enterprise Architecture team, with reporting also to the CISO.
The methodology used to develop the architecture was to:
- Identify the ICT Architecture principles, security principles and security framework
- Define the relevant security domains
- Develop a series of security service layers corresponding to the control requirements of the ISM and PSPF, as well as any relevant risk management plans
- Describe the security control outcomes required for each security service layer
- Set clear rules for the flow of data and provision of services between security domains
- Describe the governance model used to enforce the security architecture
- Create a series of architectural patterns to assist in system design across multiple security domains
While developing the security architecture, multiple meetings, workshops and review sessions were held to seek input and review commentary from stakeholders. This was complex due to the competing nature of some stakeholder roles, but resulted in an outcome that met the client’s original requirement, and was demonstrably compliant with the ISM and PSPF.
The Security Architecture that was developed was endorsed by the Chief Technology Officer, Chief Information Security Officer and lead Enterprise Architect. The benefits to The client included:
- Establishment of a baseline for new system design that was clearly and demonstrably compliant with the ISM and PSPF while leaving flexibility for risk managed decision making.
- The identification of systemic flaws in the security of the enterprise ICT environment that could be targeted at a future time.
- Clear information on how security controls should be implemented in the technical, governance, personnel and physical aspects of modern ICT.