Applying the ISM: Security Accreditation Services with Ravinn
Summary
As a trusted ally in accreditation processes, a Defence Industry Prime sought out Ravinn’s expertise to support their Information Security Manual (ISM)* security accreditation. In the context of a significant land capability project, they required specialised assistance in crafting highly detailed documentation that would underscore their meticulous efforts in seamlessly incorporating security measures into their platform.
Key Outputs
Ravinn have enabled our client to position themselves advantageously for their long-term relationship as a supplier to Defence. Our team of expert were able to apply a deep knowledge of the accreditation requirements, ISM controls, and their implementation to;
- Advise and guide on the stages of the accreditation process itself
- Advise on integrating requirements with system architecture
- Uncover additional aspects of compliance within the clients system design
- Give the client the confidence to know that they were on-track, well-prepared and able to address any concerns raised by Defence
Challenge
Security accreditation is an essential undertaking, but can easily transform into a significant drain on time and resources, particularly through;
- Distracting staff, particularly those who are essential to other vital tasks can be a substantial challenge
- Delays in achieving accreditation can cause delays in the entire project timeline, payment milestones, and in the worst case may even jeopardise the entire contract.
Most major contracts for the Federal Government require security accreditation, against the Australian Government Information Security Manual (ISM). ISM is lengthy and complex with almost 900 controls that are reviewed frequently and updated as the cyber threat environment continues to evolve.
Implementing any security standard in a manner that does not detract from the usability of the system is always an intricate process and with the level of detail covered in the ISM, it is essential that the implications for system architecture are well understood. For example:
- It is sometimes not obvious what the ISM means by the term “gateway” and to which devices it applies; and
- An organisation may have to navigate its own compliance to other standards, such as DISP, ISO 27001, NIST, PCI DSS, IS18:2018 etc. and integrate aspects
Accreditation against the ISM requires a suite of documentation. The core documents are the System Security Plan and its Annex A (the Statement of Applicability) and the Security Risk Management Plan. Further documentation which is often sought to complement the package includes a system-specific Incident Response Plan and a Key Management Plan.
These documents must address the ISM and the cyber risks to the system in a specific way. Producing this documentation takes a significant investment of time and it is essential that it is done in such a way as to highlight the security measures of the system and their relationship to the requirements of the standard.
Choosing Ravinn
Our client, a Defence Industry Prime approached us for assistance. They had a major land capability project and needed expert aid to produce high quality documentation spotlighting the excellent attention to detail they had put into integrating security into their platform.
Ravinn was able to provide expert guidance throughout the accreditation process, assist with the preparation of required documentation and work with them to demonstrate that the outstanding work they were doing on project deliverables provided a high degree of compliance with the ISM as a baseline. Ravinn was able to assist with advocating this position to Defence and explaining how the system addressed identified risks and threats.
Outputs
Ravinn’s team provides a deep knowledge, not only of the accreditation requirements and ISM controls, and their implementation, but also of the stages of the accreditation process itself. This gave the client the confidence to know that they were on-track, well-prepared and able to address any concerns raised by Defence.
Ravinn are familiar with many types of systems, architecture and operating systems. We were able to advise on matching Linux hardening to ISM controls as well as database requirements. The client was very pleased to note that Ravinn could help them not only to highlight the security in their system in the best possible way, but even suggest how to augment that security where needed.
Additional Benefits
Outside the original intended scope of work, Ravinn were able to explain options for how other requirements could be met, allowing the client to choose the most effective way of doing so. We dug through the technical engineering documentation being produced by the client and found additional aspects of compliance within the system design which could be matched to the requirements, which the client had not previously realised were relevant. Thus, they were pleased to find that they actually were already matching more requirements than they had previously thought.
“Overall, Ravinn have enabled our client to position themselves advantageously for their long-term relationship as a supplier to Defence”
Dr Claire Lentz. Lead Ravinn GRC Consultant, Science-fiction Nerd, Part-time Historian