PROTECTED Cloud: Cyber considerations
Conclusion: The Agency Head/CEO is responsible to accredit the ICT system for use at the PROTECTED level. The accreditation process is specific to the services being delivered for the organisation. The Australian Signals Directorate (ASD) certification process is a generic process that assesses the Cloud Service Provider’s (CSP) level of security only.
The Agency Head/CEO remains responsible as the Accreditation Authority (AA) to accredit the security readiness for the services to be delivered for their organisation. In practice the CIO/CISO will lead the accreditation process on behalf of the CEO.
ASD’s role as the Certifying Authority (CA) for PROTECTED Cloud services provides the agency/organisation using the CSP with independent assurance that the services offered meet government Information Security Registered Assessors Program (IRAP) requirements and vulnerability assessment requirements at the PROTECTED level. The certification process provides a consistent approach to the cyber risk assessment of the CSP’s environment only. The PROTECTED Cloud certification does not cover security assessment related to the design and maintenance of the customers’ services and/or software to be run on the PROTECTED Cloud platform.
The adoption of a PROTECTED Cloud solution will still require a regular review of the security posture. ASD will conduct regular reviews of their processes as the certifying authority (CA), and the Agency Head/CEO will be required to regularly review the accreditation of the service as a whole.
About The Advisor
Mike Mitchelmore is an IBRS advisor specialising in the areas of ICT strategy, program and project management, ICT service delivery and telecommunications. Mike has more than 40 years of experience in the ICT industry during which he has successfully led engagements in the design and deployment of a global telecommunications networks and IT platforms, negotiated managed telecommunications services, introduced new capabilities for call centres and consolidated ICT systems to focus on service delivery for citizen facing services. Mike has also assisted clients in ICT strategy, support planning, system design and architecture, and procurement strategies. Mike is a graduate of the Australian Army Command and Staff College, and the Royal Military College of Science (UK). He holds a degree in Social Science (human resource development), and graduate diplomas in Management Studies and Telecommunications Systems Management. Mike is a certified PRINCE 2 Practitioner and an ITIL (V2) Manager.