Mike Mitchelmore is an IBRS advisor specialising in the areas of ICT strategy, program and project management, ICT service delivery and telecommunications. Mike has more than 40 years of experience in the ICT industry during which he has successfully led engagements in the design and deployment of a global telecommunications networks and IT platforms, negotiated managed telecommunications services, introduced new capabilities for call centres and consolidated ICT systems to focus on service delivery for citizen facing services. Mike has also assisted clients in ICT strategy, support planning, system design and architecture, and procurement strategies. Mike is a graduate of the Australian Army Command and Staff College, and the Royal Military College of Science (UK). He holds a degree in Social Science (human resource development), and graduate diplomas in Management Studies and Telecommunications Systems Management. Mike is a certified PRINCE 2 Practitioner and an ITIL (V2) Manager.
Conclusion: The ICT Disaster Recovery Plan (DRP) is, more often than not, focused on technology providing for redundancy of infrastructure and systems, including data back-up and data recovery. Whilst these components are important and necessary, we often oversimplify the need for business resumption of the ICT business, which in turn will impact ICT availability. The need to ensure people are part of the planning is critical to success. Often the disaster, whether it be a technology issue, a business issue, such as a fire or denial of access to key sites, or an environmental issue such as a flood or storm, can equally affect the need for expanded operations centres and larger than normal help desk support functions.
Effective planning and testing of the plan, for all aspects of a probable disaster scenario and the ICT Business Resumption Plan (BRP) to support the business as a whole, is necessary. Effective testing of the DRP and BRP for ICT must be a high priority for any CIO to ensure service levels are maintained. Failure to do so will increase the risk of ICT to the business.
Any test of your DRP and ICT BRP should include business and customer involvement to provide your organisation confidence that all known risks have been successfully mitigated. The oversight of the testing of these plans must be planned and conducted by an independent body (preferably a consultancy that has knowledge in the organisation business world, or your ICT advisory service).
04 September 2019
Conclusion: ICT health checks enable organisations to better understand risks and prioritise activities to both maintain and improve the performance and reliability of ICT in support of business outcomes.
ICT health checks can be conducted as a light touch in the first instance, with detailed in-depth health checks being conducted as follow-up activities in specific areas where and when necessary.
An effective ICT health check strategy will be business-focused and not based on technology alone. Implanting health checks as part of your annual ICT budget planning will provide timely advice on the organisation’s ICT health and provide in-built regular reviews of ICT health to ensure business outcomes are achieved without unnecessary risk.
05 August 2019
Conclusion: The development of a strategic relationship between suppliers and public government agencies needs to be approached differently to that in the private commercial world. Government bodies are bound by procurement rules which require government agencies to regularly market-test provision of services, where value for money is the primary consideration. Government agencies cannot therefore have a strategic partnership with suppliers in the same manner as a commercial strategic partnership. The relationship must therefore be timeboxed to meet procurement policies such as the Commonwealth Procurement Rules and cannot be open-ended1.
Strategic vendors for government agencies are either critical to the delivery of business outcomes or are influential in the development of future business opportunities.
For strategic vendor management to be successful in government, both the government agency and the vendor need to commit to effective governance of the relationship and agree to share knowledge on business strategies and product development.
05 July 2019
Conclusion: Successful businesses need their people to be productive and to perform well. Effective communication may assist i.e.suring they do. Effective communication is about thought leadership, defining a purpose, informing tasking and priorities and, most importantly, listening. Opportunities that impact productivity and the fiscal performance of organisations are often lost or not fully prosecuted due to poor communication. Poor communication will result in less than optimal planning or reduced time to react, causing the need to compromise. This, in turn, results in poor prioritisation, and i.e.erything is urgent, nothing gets the appropriate focus.
To communicate effectively at the personal, work unit and organisational levels requires a level of discipline in adherence to the basic principles of effective communication, which will lay the foundation for success.
Effective communication will improve productivity, reduce risk, reduce costs and reduce time to market. Effective communication will deliver line of sight for your strategic outcomes and in doing so will be a combat multiplier for your business.
- Sourcing & Staffing
03 June 2019
Conclusion: Telecommunications services and the supporting infrastructure have historically been complex, costly and difficult to change. The modern technology landscape now allows for greater flexibility in the design of networks, and the telecommunications services of voice, video and data they deliver.
The use of software defined networking (SDN), Cloud-based standard operating environments (SOE) with unified communications (UC) and Cloud-based call centre solutions are now mature, secure and commonplace in the market.
These changes with the significantly reduced cost of physical connectivity (lines and links), which are now viewed as a commodity, enable the telecommunications landscape to be agile to each organisation’s business needs and delivered at greatly reduced costs.
29 April 2019
Conclusion: The Agency Head/CEO is responsible to accredit the ICT system for use at the PROTECTED level. The accreditation process is specific to the services being delivered for the organisation. The Australian Signals Directorate (ASD) certification process is a generic process that assesses the Cloud Service Provider’s (CSP) level of security only.
The Agency Head/CEO remains responsible as the Accreditation Authority (AA) to accredit the security readiness for the services to be delivered for their organisation. In practice the CIO/CISO will lead the accreditation process on behalf of the CEO.
ASD’s role as the Certifying Authority (CA) for PROTECTED Cloud services provides the agency/organisation using the CSP with independent assurance that the services offered meet government Information Security Registered Assessors Program (IRAP) requirements and vulnerability assessment requirements at the PROTECTED level. The certification process provides a consistent approach to the cyber risk assessment of the CSP’s environment only. The PROTECTED Cloud certification does not cover security assessment related to the design and maintenance of the customers’ services and/or software to be run on the PROTECTED Cloud platform.
The adoption of a PROTECTED Cloud solution will still require a regular review of the security posture. ASD will conduct regular reviews of their processes as the certifying authority (CA), and the Agency Head/CEO will be required to regularly review the accreditation of the service as a whole.
05 April 2019
Conclusion: What to monitor and how you respond to the data is often poorly documented and not fully understood until after a failure occurs. In this world of “no surprises”, effective monitoring is a key success factor. If an organisation’s ICT monitoring strategy is to be successful it must be structured around the organisation’s business outcomes. The monitoring strategy framework is achieved through the alignment of the organisation’s critical-business functions, the ICT high-level design, the ICT architecture and the priorities set out in the organisation’s disaster recovery plan (DRP) as the primary influencing factors.
Key to an effective DRP is a clear understanding of the system architecture and design, with sound knowledge of the risks and weaknesses it brings in support of critical business functions. When the ICT monitoring strategy is based on this framework it will deliver a near real-time health status of the organisation’s ICT environment, allow for planning future capacity, and in the investigation of incidents when they occur. An effective monitoring strategy will be business-focused and not monitoring for monitoring’s sake.
05 March 2019
Conclusion: Cloud offerings are now commercially available, allowing CIOs to engage the technology offerings with a high degree of trust that the service is secure and responsive at reduced cost to in-house solutions.
CEOs have an obligation to ensure their organisation’s IT systems are cost-effective and meet the security accreditation defined by government (or their Board). PROTECTED Cloud services can reduce cost of operations and meet many of the CEO’s obligations for accreditation (and review) of services, and therefore better manage risk, to meet government and best practice commercial security requirements.
All PROTECTED Cloud data centres certified by ASD are physically located in Australia. Depending on your needs, they all meet Australian Government data sovereignty requirements and offer low latency and in-country technical support teams to assist clients. Provision of PROTECTED Cloud services allows the CIO to restructure IT, moving to a more agile and potentially lower cost option to provide the appropriate security approach.
04 February 2019
Conclusion: CIOs should consider the environments for their PROTECTED information, both when building new capability and/or when renewing older infrastructure and services. The need to have cost-effective infrastructure services (in-house or IaaS), accredited security of services and responsiveness for clients using the service are three key deliverables for any CIO.
The Australian Government has identified PROTECTED ratings be applied where systems and data are at risk and where the systems or data are critical to ensuring national interest, business continuity and integrity of an individual’s data. Critical business functions are a combination of the IT systems they run on and the data they consume.
Defining what should be afforded a PROTECTED rating and therefore adequately protected is an ongoing challenge. The Australian Government’s Information Security Manual (ISM) and recent legislation “Security of Critical Infrastructure Act 2018” detail the requirements and framework for reporting, on government-run IT systems and critical infrastructure. Using this framework as a base, organisations should assess whether the data or IT environments that support critical business functions should be treated as PROTECTED.
- Security Leadership
07 January 2019