Overview
Federal Government contracts for Defence capability usually require security accreditation against the Australian Government Information Security Manual (ISM). This is lengthy, complex and frequently updated, with the over 800 controls being updated, removed, added to and reworded. If left to unqualified personal, it quickly turns into a time drain and has significant repercussions in obtaining accreditation, affecting project timelines, delaying payment milestones, and may even jeopardise the entire contract.
With the amount of detail covered in the ISM, it is crucial that the implications for system architecture are well understood to not detract from the usability of the system. It is an intricate process also when taking into account the separate compliance standards which may also need integrated in a complementary manner (i.e, DISP, ISO 27001, NIST, PCI DSS, etc).
Ravinn work with our clients to ensure they meet a range of Australian or New Zealand Government requirements for information security.
As experts in security accreditation, we guide organisations through the process, advise on integrating requirements with system architecture, explain any aspects that may seem unclear and can assist with the vast amount documentation that is required.
Accreditation against the ISM requires a suite of documentation including:
- System Security Plan and its Annex A (the Statement of Applicability)
- Security Risk Management Plan
- System-specific Incident Response Plan
In order to successfully achieve accreditation, these documents need to be templated and must address the ISM and the cyber risks to the system in a specific way. Producing this documentation takes a significant investment of time and it is essential that it is done in such a way as to highlight the security measures of the system and their relationship to the requirements of the standard.
The challenge
A Defence Industry Prime turned to Ravinn for help after realising that seeking accreditation internally consumed important resources that could have been used for other project operations.
They had a major land capability project and needed expert services to produce high quality documentation the great care they had put into integrating security into their platform.
The Ravinn team developed a deep understanding of the systems requiring accreditation in order to fully understand the risks and subsequent security control requirements. Ravinn provided guidance throughout the accreditation process, assisted with the preparation of required documentation and worked with the client to demonstrate compliance with the ISM as a baseline.
The outcome
In addition to the accreditation standards, ISM controls, and their implementation, Ravinn provided professionals with a thorough understanding of the accreditation process’ various stages. This gave the client the assurance that they were on schedule, well-prepared, and capable of responding to any concerns voiced by the defence.
The Ravinn team also combed through the client’s technical engineering documents and discovered other aspects of compliance in the system architecture that might be matched to the criteria but which the customer had not previously recognised as important. They were therefore happy to discover that they were already fulfilling more criteria than they had anticipated.
The Ravinn team is knowledgeable with a wide range of operating systems, architectures, and system types. As such we were able to advise on matching Linux hardening to ISM controls as well as database requirements. The client was delighted to learn that Ravinn could assist them not only to highlight the security in their system in the best possible way, but also to suggest how to augment that security where needed.
Additionally, Ravinn was able to provide options for how other requirements could be met, allowing the client to choose the most effective way of doing so. By doing this we helped the client to position themselves favourably for their long-term relationship as a supplier to Defence.
Ravinn has become a trusted ally and advisor to the client, relieving them of the onerous components of the accreditation process.
“We really appreciate the level of understanding Ravinn have gained on the system, and the proactive and collaborative approach to the work”
C4ISREW System Architect, Major defence industry manufacturer.
