Security Policy and Frameworks

The Latest

12 April 2022: Research by risk consulting firm Kroll revealed a 356 per cent surge in common vulnerabilities and exposures (CVEs) or zero-day vulnerabilities (also known as freshly announced threats) in the last three months of 2021 compared to the previous quarter. By December, an increase in new ransomware variants was detected in ManageEngine, ProxyShell, VMWare, and SonicWal pushed CVE logs to an all-time high.

Kroll’s industry survey revealed that while phishing remained the most popular initial access infection vector, at 39 per cent in the fourth quarter, CVE increased from 6 per cent to 27 per cent in the same period.


Source: Q4 2021 Threat Landscape: Software Exploits Abound


Why it’s Important

Many incidents of ransomware continue to impact Australian organisations who are considered prime targets due to (a) their capacity to pay and (b) their relatively immature (from a global perspective) cyber-defence and cyber-response capabilities of a larger number of mid-sized enterprises. Many of these organisations struggle to close common vulnerabilities, let alone zero-day exploits, quickly enough to avoid intrusions due to their weak defence postures.

Organisations need to address their ability to defend against such attacks and respond appropriately to limit any impact caused by breaches. More effort is required across industries to contain the likelihood of attacks impacting productivity, reputation and financial resources, rather than just within individual businesses. This will support sharing of intelligence and the growth of cyber-defence nationally.

Who’s impacted

  • CMO
  • Development team leads
  • Business analysts

What’s Next?

  • Cyber-defence can no longer be left to a 'best effort' basis by ICT groups. Organisations that lack a dedicated cyber security specialist, must seek out specialist services, peer groups and forums, and actively leverage better practices from these groups.
  • Evaluate the status of your enterprise’s ransomware defence and look into the strengths and weaknesses of your current security posture.
  • Create a dedicated team that will develop a roadmap to improve the organisation’s stance against ransomware.

Related IBRS Advisory

  1. The Security Impact of Remote Working: Find the Gaps in (Zero) Trust
  2. Use Security Principles to Guide Security Strategy
  3. Reducing the Risk of a Successful Ransomware Attack


Over the last 12 months, cyber security breaches arising from compromising third parties have featured in the headlines. Previously, most organisations had given little thought to their reliance on third parties for critical services, software, and the protection of sensitive information. As such, in many cases the issue has flown largely under the radar.

A compromise via a third party is now an increasingly common attack vector. This is due to the fact that the smaller third parties often hold critical data and an attack on one third party can quickly be leveraged as an attack on all its customers. Additionally, some smaller third parties do not have best-practice cyber security capabilities in place.

Security Frameworks such as NIST and ISO 27001 have long identified risks arising from third parties. CIOs need to move quickly to identify, assess, and mitigate risks from their third parties. This article provides some recommendations that will assist in managing these risks.

The Latest

28 October 2021: The US Senate voted unanimously to deny Huawei and ZTE from supplying equipment to US enterprises due to national security threats that would violate the Secure Equipment Act. Once approved by Pres. Joe Biden, the companies will not be granted equipment licenses by the Federal Communications Commission (FCC) under its ‘Covered Equipment or Services List’. A few days before, the Federal Bureau of Investigation (FBI) raided PAX Technology's Jacksonville warehouse after reports of alleged transmission of malware through the Chinese manufacturer's point-of-sale (PoS) terminals.

Why it’s Important.

As a member of Five Eyes (FVEY), an alliance of countries including Canada, New Zealand, the UK and the US, for joint cooperation in signals, military and human intelligence, Australia has previously followed the US in cutting off suspicious foreign tech companies' domestic presence due to national security concerns.

  • Australia blacklisted Huawei and ZTE in 2018 from selling 5G equipment. The two firms vehemently dismissed accusations over high-speed mobile network espionage, citing discriminatory tactics even with a no-backdoor agreement. 
  • In the same year, the Australian Defence Department banned messaging and payment app WeChat for failing to meet the organisation's standards for use on networks and mobile devices but not necessarily because of security and privacy issues.
  • In late October 2021, PoS terminals from PAX were detected sending anomalous network traffic, which has seen formal requests to replace the equipment due to security concerns. 

The fundamental issue here is supply chain security - the ability of nation state actors to inject spyware (or other malware) into equipment that is broadly used globally. Even where the security risks are not validated, the potential remains. It must also be noted that in the recent past, allies of Australia have engaged in such activities.

With the current geopolitics on global telecommunications being influenced by the US, sweeping impacts on the global supply chain and reduced competition in the market are likely.  

IBRS expects this technology supply spat will expand into areas outside of telecommunications, such as industrial control systems and PoS. Any widespread technology that can be used to impact or monitor aspects of national economies are likely targets.

Who’s impacted

  • Telecommunications procurement

What’s Next?

For organisations considering foreign-manufactured tech products and services, look more closely at the implications of selecting such equipment or platforms. While there is still no public evidence on the credibility of allegations against specific state actors, senior leaders must take security concerns in their organisation and assess the risks they are willing to take when selecting any vendor.

In addition to the security risks, there are also reputational risks, and risks associated with having to replace key solutions, such as is the case with the PAX PoS hardware.

Related IBRS Advisory

  1. Choosing Huawei could be risky - but not why you think
  2. Are you FRUSTRATED with procurement? Why procurement often goes off the rails

The Latest

16 August 2021: VMware and AWS announced that VMware Cloud had been independently assessed by an Information Security Registered Assessors Program (IRAP) assessor against the Information Security Manual (ISM) PROTECTED controls.

Why it’s Important

IBRS has noted that VMware Cloud is becoming increasingly popular as a management platform for hybrid Cloud. Its main attraction is that it offers a smooth ‘lift-and-shift’ of on-premises vSphere environments to a hyperscale over time, with different aspects of the data centre ecosystem running in the Cloud and/or on-prem. The VMCloud approach is particularly attractive for heavily regulated organisations and agencies, since it supports Amazon Elastic Compute Cloud elastic, bare-metal infrastructure. 

By assessing the VMCloud service, public sector customers have the opportunity to accelerate their Cloud migration, moving more of the load from on-prem environments to Cloud, while retaining operational consistency with their on-prem data centre.

While VMware Cloud IRAP for PROTECTED status is very much welcome, there is also the risk that IRAP is treated more as a ‘check-box’ in a security policy, rather than a foundation on which to build robot security practices. Many Cloud breaches are not the result of zero day exploits or misconfigurations from vendors (despite recent issues with Azure) but rather weak configuration management. This is exacerbated by the ongoing skills shortage in Cloud engineers, plus the even more critical shortage of cyber security professionals.

VMware Cloud provides common approaches to managing the Cloud environment, but it is only as good as the attention to detail given to the configuration of the environment. Tools such as GorillaStack can assist, but operational security is ultimately a matter of practice.

Who’s impacted

  • CISO
  • Cloud teams

What’s Next?

When considering Cloud management tools, security certifications and IRAP assessments are a sign that the vendor has best practices in place, but are not a panacea for mitigating risk. Treat them accordingly. 

Related IBRS Advisory

  1. Cloud Security Considerations – Lessons from the Frontline
  2. PROTECTED Cloud: Cyber considerations
  3. The value proposition for PROTECTED Cloud
  4. Why Cloud Certified People Are in Hot Demand
  5. VENDORiQ: Microsoft Cloud Database Security Flaw - A Nightmare or a Wake-up Call?


Traditional development practices have been supplanted by the DevOps movement over the past decade. The next evolution is the movement towards DevSecOps where security is integrated across the development lifecycle.

DevSecOps is not just a matter of buying the latest tooling and running the developers through some training. It requires commitment, not just from the technology group as a whole but from the business leaders themselves.

It is as transformative a project for an organisation as is a move from on-premise to Cloud. Poorly managed or even unplanned DevSecOps can have a negative impact on the development capabilities within an organisation.

IBRSiQ is a database of Client inquiries and is designed to get you talking to our advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.


While some bots may be benign, many are engaged in unscrupulous behaviour, such as stealing valuable commercial data or attempting to obtain access illegitimately. At best, bots are a drain on an organisation's resources, increase demands on infrastructure and causing the expenditure of resources, pushing up costs. In the worst case, they represent a significant cyber threat.

IBRS interviewed experts in the field of bot defence: Craig Templeton, CISO and GM Tech Platforms with REA Group and Sam Crowther, developer of the Kasada bot defence platform.


As is common in security, a buzzword becomes a product segment which is then flooded with new entrants or even old players with new offerings. A classic case is the detection and response segment. Initially, it was one approach – endpoint detection and response. But as vendors entered the segment they were driven to find differentiation points to stand out from the crowd.

What was a simple segment became one with many new acronyms, new problem definitions and of course a plethora of products. To help understand the basic differentiation of products in this segment this advisory provides a direct and simple definition for each main sector along with points to note about how to select any specific product in the segment.


The recent SolarWinds security compromise provides a timely reminder that a cyber security compromise from third parties is a clear and present threat. Virtually all organisations utilise third party vendors to provide services, software solutions and to store data. For these reasons, it is essential that all organisations have a third party risk assessment and compliance program as part of a broader cyber security strategy. Given that organisations utilise a multitude of vendors it is impractical to adopt a one-size-fits-all approach to third party risk management. This article provides a pragmatic approach to mitigating this risk.

IBRSiQ is a database of Client inquiries and is designed to get you talking to our advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.

Conclusion: Passwords will continue to be part of the landscape for the foreseeable future. Organisations, driven by the concepts of defence in depth, must implement techniques that enhance the security of the authentication process. Both products and processes can be enabled or added to help secure the creation, use and storage of passwords.

Each of the techniques mentioned can be used on their own to enrich the security. Some or all of them can be combined to further build the security. Most of them have little associated costs apart from deployment and perhaps training, but the cumulative impact on the robustness of the authentication process is significant.

Conclusion: Cyber incidents and the protection of information have now taken enterprise and national significance. 

Organisations will need to learn to operate securely in a zero trust world. With an ever-increasing number of cyber-related incidents, cyber security risk has evolved from a technical risk to a strategic enterprise risk. The risk of a compromise for most organisations is increasing with the acceleration of digital transformation, adoption of technologies such as Cloud services, analytics and IoT. The threat landscape is further compounded by increased regulatory and compliance requirements.

A cyber compromise is almost inevitable and organisations are now focusing on improving the resilience of their organisation to a cyber incident. Many organisations now have cyber resilience programs in place which not only protect and defend their key information assets but are also well placed to respond should a cyber incident occur. Our cyber strategy, roadmap and implementation advisory are designed to assist on your cyber resilience journey.

Conclusion: People are and will be using passwords for the foreseeable future despite the numerous efforts underway to dispense with them. Managing them and particularly resetting them are ongoing costs for organisations.

Passwords are also a significant contributor to breaches. They are either captured during credential-grabbing efforts, leaked in a data breach or just too easy to guess.

Yet there are excellent guidelines in existence to assist people to minimise the possibility of passwords being cracked or guessed. Some involve implementing good policies, and most involve making it easier for users to create, remember and use passwords.

Conclusion: Identity and access management is a crucial component of an organisation’s security posture. At its most basic, it is how an organisation determines whether an individual can access resources or not. In today’s world, it is also becoming the basis of how applications first identify then communicate with each other.

Assurance of identity is the cornerstone of managing access to information. An organisation must be confident in that assurance. One method of bolstering the strength of that assurance could be the deployment of multi-factor authentication – at a minimum to privileged users, but ideally to all users of the services and applications whether those users are staff or not.

As organisations move from office-bound networks to distributed workforces combined with Cloud-based Software-as-a-Service (SaaS) applications, identity will evolve to be almost the sole element used to assess and grant access. Identity is certainly a central element of zero trust environments.

Philip Nesci, IBRS adviser and former CIO, has warned that agencies will need to get their information management sorted out to capitalise on the new rules.

‘‘Agencies need to identify their high-value data sets and where they are located.’’ 

Full Story.

Conclusion: Australian financial organisations have been bombarding their suppliers and partners with requests to complete security assessments. If servicing or dealing with financial organisations is part of the operational model for the organisation, this has probably already happened or is about to happen.

Those financial bodies are being driven by an Australian Prudential Regulation Authority (APRA) issued prudential standard CPS 234 (Cross-industry Prudential Standard). This document lays out how a financial body should manage its cyber security with particular emphasis on extending that management to parties that support or supply the financial body.

These assessments can be tedious and raise concerns about cyber security maturity within the organisation. On the other hand, they bring a clear high-level focus on areas that all organisations should either be covering or working towards covering. This makes CPS 234 a valuable reference for senior executives building a cyber security program.

Conclusion: In the current COVID-19-driven environment, video conference calls have become the stuff of life. They are used for school, family, leisure and even work. Numbers of call attendees have jumped from tens of millions to more than 300 million worldwide. As is normal in technology, there are a plethora of options to choose from.

One of those, Zoom, has made the news repeatedly over the period of April-May, initially because of its popularity but then because security flaws were being discovered. With the flaws seemingly serious, commentators were recommending organisations abandon Zoom. Many organisations did so, given the amount of coverage the flaws received.

But the product was and is popular. It is one of the easiest video conferencing products to use. It works well and is simple to deploy. A valid question to ask is whether Zoom is safe to use for business purposes. Taking a realistic view of the flaws combined with efforts Zoom has made to correct some of them leads to the conclusion that Zoom is safe for general business usage.

Conclusion: The increased proliferation of critical digital services has resulted in ransomware attacks becoming one of hackers’ means to make money. As a consequence, many organisations have become the victims of such attacks. IT organisations should implement a full recovery strategy to restore IT services in the event of ransomware attacks. The recovery strategy should become an integral part of the disaster recovery plan. This will raise business stakeholders’ trust in the service security and reduce the spread of this type of IT organised crime.

Conclusions: Patching systems is regularly touted as the panacea for security breaches, yet many organisations continue to struggle with that seemingly simple process. There is obviously more to the problem than just buying and deploying a patch management system.

Most organisations are well-intentioned; it is not that they do not want to patch. As one delves deeper into the tasks around patching, it soon becomes clear that many unintentional, and some intentional, roadblocks exist in almost every organisation.

This note attempts to sort through some of those roadblocks and offer some approaches to diminish their impact. Some resources are identified to help with the design and build of a patch service. There is a real dearth of well-structured information around the patching process overall.

IBRSiQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.

Conclusion: As detailed in part one of this pair of notes, the Australian Signals Directorate’s Essential Eight (E8) are detailed technical recommendations for securing an information infrastructure. Implementing them has been touted as being effective against over 85 % of potential attacks. It is hard to ignore that benefit to an organisation’s security stance.

The first note went on to highlight the real-world implications of attempting to implement the E8; in particular, listing the prerequisites for the implementation. Each of the E8 assumes that an organisation has in place the underlying capabilities and information that provide the supporting base for each element of the E8.

While at first glance that appears to put a negative connotation on deploying the E8, in many ways it points to some basic processes and capabilities that any organisation should have in place to use its information infrastructure effectively. This note will explore those implications. It will help any organisation build the basics of an effective security regime.

Conclusion: The Essential Eight from the Australian Signals Directorate constitutes a recommended set of strategies to reduce the risk of cyber intrusion. They are said to prevent up to 85% of potential attacks. They are certainly worth assessing as a strategy to apply as an organisation plans out its security strategy.

However, while they may seem simple at first glance, the prerequisites for their implementation are far reaching. These add significant cost and effort to any attempt to take advantage of the E8. In fact, the effort and planning can easily exceed the effort in seemingly just doing the E8.

This will be a two-part article. The first part will explain the question at hand and describe the premise being explored. The second part will work through the implications for an organisation and list the strategies to deal with them.

Conclusion: Current network and security deployments make many assumptions about the threat environment and which controls are effective. Many of these assumptions are predicated on an older security architecture that emphasised the perimeter. This perimeter then segregated the outside from the inside with an associated perception that inside was good or trustworthy and outside was bad and untrustworthy.

It is easy to see that for many, if not most organisations, the perimeter is no longer just considered a solid demarcation point between outside and inside. The internal network hosts contractors and consultants as well as integrates external services as if they are native to the network. Staff operate from partner and customer locations as well as from public networks via wi-fi hotspots in cafes, airport lounges and hotels.

This evolution requires a fresh security architecture to assist organisations to operate in the evolving network and service paradigms. The zero trust network (ZTN) philosophy lays out an architectural approach to deploying services, enabling staff and supporting customers. ZTN should be assessed by any organisation looking to move to an internet-driven, Cloud-supported and secure operating schema.

Conclusion: Recently, several architectural models and tools have become available to enable the microsegmentation of networks, which helps improve overall security within organisations and can help limit the scope of any potential breach within an organisation. This can be achieved by aligning microsegmentation of networks with the organisation’s mission-critical systems profile.

Organisations should ensure microsegmentation is included in their security strategy. However, there are several different architectural approaches and organisations should explore these and select the approach that most suits their current or planned enterprise architecture and assess the benefits each approach may offer.

Conclusion: Australians have become increasingly concerned not only with what data is being held about them and others, but how this data is being used and whether the resulting information or analysis can or should be trusted by them or third parties.

The 2018 amendments to the Privacy Act for mandatory data breach notification provisions are only the start of the reform process, with Australia lagging a decade behind the US, Europe and UK in data regulation.

Therefore, organisations seeking to address the increasing concerns should look beyond existing data risk frameworks for security and privacy, moving instead to adopt robust ethical controls across the data supply chain1 that embodies principles designed to mitigate these new risks. Risks that include the amplification of negative bias that may artificially intensify social, racial or economic discord, or using data for purposes to which individual sources would not have agreed to.

Early adopters of effective data ethics will then have a competitive advantage over those who fail to address the concerns, particularly of consumers, as to how their data is used and if the results should be trusted.

Conclusion: Relying on third parties to succeed in business has become the norm. Cost limitations and workforce requirements mean that businesses need to find efficient ways to achieve their goals. This regularly includes creating an ecosystem of organisations that offer technology, consulting and support services that can be leveraged when required for a fraction of the cost of employing a person or service in-house to the same end. This is great from a business perspective; however, engaging with third parties brings significant risk. Businesses are effectively opening their door to a perfect stranger and inviting them into their organisation to look around, share some data and stay a while. Managing the risk of having a third party connected to an organisation is important. An organisation’s security controls become meaningless once data is transferred to a third party. At the end of the day, if a cyber-attack occurs via a third party, there will be more than one reputation on the line in the eyes of current and future business partners, customers and clients. 

While the impact of a third-party data breach cannot be completely prevented, the key to resilience, detection and management of connections is awareness, being upfront about the security expectations and educating the workforce.

Conclusion: Fraud and cybercrime can both keep key stakeholders in a business awake at night. But these threats are often driven by very different malicious motivations. In the end, the two threats overlap but are very different. Fraud is a crime carried out for financial gain. Cybercrime on the other hand can be executed for many reasons including political, passion and even opportunistically, purely because a vulnerability was there. Aside from reasons/motivation, two other key differences include skill set needed to manage such threats and the delivery method of the event. Organisations need to prepare for both of these threats to be realised and cannot always rely on the controls of one to detect, prevent or manage the impact of the other.

Conclusion: Passwords are the weakest link (some might say second to humans) in the enterprise security chain. With compromised credentials (a username and password) being the leading cause of data breach1, passwords and even the stronger passphrases are no longer sufficient to protect users or businesses from unauthorised access to critical data and systems. As such, an additional layer of security, namely two-factor authentication (2FA), is now commonly available. The term two-factor or multi-factor authentication has become commonplace and while it materially reduces a business’s risk to several cyber threats, many end users feel that it is an inconvenience, slows down productivity and prefer not to “opt-in” if that is at all an option. The bottom line is that 2FA is complementary to strong passwords – it is not a replacement for them. Raising education and awareness of the importance of strong passwords is still needed and 2FA is simply another layer of protection, akin to a more secure bolt on the door to our sensitive information.

Conclusion: The question of “how much security is enough” often stems from attempts to define ballpark security budgets, meet compliance obligations and scope out security team size and make-up. But how much security is enough depends on a number of factors that an organisation must consider before seeking the endorsement of the security strategy and agreeing on an acceptable risk position.

IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.

TechSci Research estimates the Australian managed security services (MSS) market will grow at a CAGR of more than 15 percent from 2018-23 as a result of the increased uptake of cloud computing and the popularity of bring-your-own-device (BYOD).

That’s a decent growth rate, enough to pique the interest of managed IT services providers looking to grow their business.

They already have established client relationships and those clients, like all businesses, face constant challenges keeping secure in the face of an every evolving threat landscape and a shortage of cyber skills.

Many managed IT services providers (MSPs) already offer some elements of security, such as antivirus, intrusion detection and managed firewall, but there’s a huge gap between these and offering a fully fledged managed security service via a 24x7 security operations centre (SOC) and security information and event management (SIEM) software to provide real-time analysis of threats, generate alerts and advice on remedial action.

Technical competence is one challenge faced by any MSP contemplating becoming an MSSP.

Full Story

Conclusion: A major benefit from using a framework is to support better decision making and help deliver consistent outcomes. When it comes to security and risk, a framework is only as useful as the intellectual effort required to understand the framework and how it applies to an organisation’s risks. While some frameworks call for much documentation, IBRS argues that security policies for their own sake are not as valuable as reviewing existing business policies and processes with a risk management lens.
The goal is to have business executives making informed decisions. As an organisation’s cyber risk management practices mature, the creation of documentation as a point of agreement within the organisation becomes more important, but starting the journey with document creation misses the whole point of risk management. Any framework is only as useful as its ability to directly support business outcomes.

Conclusion: The updated NIST cybersecurity framework (CSF) is a pragmatic tool to enable an organisation to gain clarity on its current level of capability for cyber risk management. Remembering that visibility, as a principle, is both an objective of the framework, but also a guide when working through the framework will make application of the framework much more valuable. Aiming for visibility will enable an organisation to accurately gauge itself against each function, category and subcategory. Visibility will enable an organisation to honestly assert current capability, and the gap to a more desirous level of capability. Achieving visibility will require ongoing collaboration with business stakeholders which, in turn, delivers visibility to these same stakeholders and ultimately enables informed decision making.

Conclusion: A requirement of the European Union’s (EU) General Data Protection Regulation (GDPR) is the concept of “data portability”, which provides a right to receive personal data an individual has provided in a “structured, commonly used, machine-readable format”, and to transmit that data to another organisation.

Underlying data portability is an assumption that data standards exist and are widely used across all public and private sector organisations, especially in specific vertical industries, such as Financial Services, Health or Utilities. In many cases in Australia, no such standards exist and there is no framework to encourage industry cooperation.

Australian organisations needing to comply with GDPR will have to develop an approach and strategy to how they will provide data portability when requested to do so.

Conclusion: The forthcoming General Data Protection Regulation (GDPR) legislation is being introduced by the European Union (EU), which has ramifications to organisations worldwide.

Key aspects of GDPR relate specifically to what data exactly an organisation should be able to legally keep and for how long. The underlying principle is that less is best in terms of data collected and kept. For the data to have been legally collected, an individual has to have explicitly given their consent to the organisation to collect, keep and process their personal data.

Conclusion: There are three levers being applied to the cyber security maturity of specific parts of the Australian economy. These three levers are the Notifiable Data Breaches Scheme, the Security of Critical Infrastructure Bill, and Prudential Standard CPS 234 “Information Security”. These levers each address an area of importance for the national economic wellbeing, and organisations should look at all three for insight into what is now expected to constitute reasonable and appropriate practice in cyber risk management. In turn, they address the importance of data value to customer trust, the importance of system control and supply chains to national security, and the importance of resilience to our economy.

Conclusion: The General Data Protection Regulation (GDPR) legislation being introduced by the European Union (EU) in May has ramifications to organisations worldwide.

Australian organisations that have already invested in ensuring that they comply with the Australian Privacy Act 1988, and have a robust privacy management framework in place, may find that they already comply with aspects of the EU’s GDPR. However, GDPR does have more stringent requirements including requirements that are not within the Australian requirements, so effort and investment will be required by organisations that need to comply with GDPR.

When considering an organisation’s position and defensibility in terms of whether they complied or not, organisations will need to develop an understanding of the specific requirements, and how exactly they have implemented “technical and organisational measures to show that they have considered and integrated data protection into their processing activities”1.

Conclusion: The forthcoming General Data Protection Regulation (GDPR) is new legislation being introduced by the European Union, which does have ramifications for organisations worldwide.

Being new, there is still a lot to be learned about what exactly some of the specific requirements will mean in practice and how they will impact organisations in being able to show that they have understood and completely complied with the regulation.

When considering an organisation’s position and defensibility in terms of did they comply or not, organisations will need to develop an understanding on the specific requirements, and how exactly they have implemented “technical and organisational measures to show that they have considered and integrated data protection into their processing activities”1.

IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.

Conclusion: The security capabilities of Cloud vendors have evolved rapidly since 2008. Specifically, the three big Cloud vendors Microsoft, Google and AWS understand the importance of trust and assurance for their corporate and government customers and are each working aggressively on continual service improvement. Most customers are more likely to suffer security issues with their own architecture, configurations and processes when trying to work with Cloud services than they are from any exposure from these leading Cloud vendors. The implications for IT organisations engaging with Cloud vendors are clear: along with good vendor management practices, IT organisations should purchase and architect for minimal configuration as much as practical. From a security perspective, and if Cloud is appropriate, “Cloud first” should be viewed as a cascading decision tree: SaaS first, then PaaS, then IaaS.

Conclusion: Cyber insurance is claimed to help recoup the losses sustained by an organisation from a raft of incidents that may or may not be “cyber”. It is imperative that organisations understand their data assets and business processes, and the risks to these, before engaging with an insurer. With a changing legislative environment, there is a role to play for insurance against losses relating to cyber incidents, especially around first party costs and third party impacts. However, cyber insurance is still a very new area and the insurers are still finding their way. This means that prospective customers need to be more informed than ever.

 Conclusion: Despite increasing focus on information and data in an as-a-Service age, thought leadership in the data management discipline has waned. Today, few of the frameworks, methods and bodies of knowledge that emerged either from the data modelling fraternity or the records management community in the last decade remain active.

This leaves organisations seeking to address the impacts of increasing privacy regulation, cyber security risks from increased digital delivery or improving data integrity to support automation with only one real choice – the Data Management Association (DAMA)’s Data Management Book of Knowledge whose 2nd Edition (DMBoK2) has emerged after almost three years of international collaboration.

Despite the wait, DMBoK2 provides a much-needed update on an already solid foundation addressing contemporary issues with the exception of fully addressing the challenges of data science in its broadest form. Organisations seeking to comprehensively address data management would be well served by adopting DMBoK as a foundational model, thereby ensuring they have a single point of reference regardless of the specific outcomes or priorities that need to be addressed now or in the future.

IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.

IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs. 

Conclusion: Australian organisations and agencies need to embrace the European Union’s new General Data Protection Regulation (GDPR) legal framework for protecting and managing Private Individuals Information (PII). There is considerable risk to organisations that do not take action to comply, financially and to organisations’ brands.

There are also potential upsides in embracing the requirements and being able to demonstrate compliance with the accountability principles, and implementing both technical and organisational measures that ensure all processing activities comply with the GDPR.

Whilst Australian companies may already have practices in place that comply with the Australian Privacy Act 1988, GDPR has a number of additional requirements, including the potential appointment of “data protection officers”. Action should already be taking place, and organisations should not underestimate the time and effort it may take to reach and maintain compliance.

Conclusion: An audit is an integrity check that assesses whether an organisation is doing what it said it would do, and what others should reasonably expect it to do. The previous sentence also points out that it’s not enough to have better practices documented. An organisation must also be able to demonstrate that staff are adhering to these. There are some excellent resources available for organisations preparing for a cyber security audit. The real gold will be in the quality of the conversations and resulting maturity in perspective at the most senior levels of an organisation that occur through the work that is carried out in preparation for the audit.

Conclusion: Organisations must proactively manage exactly which data is kept, secured, and backed up, as well as which data must be archived or permanently deleted. Data hoarding adds considerably to storage costs as well as potentially exposing organisations to risks especially if the data is inappropriate, unencrypted, or could put an organisation’s brand at risk.

Organisations need to have clear policies on exactly what sort of data is to be kept, especially when there are legal, regulatory or other specific reasons for keeping the data. Additionally, organisations need to be clear on what should not be kept.

Organisations cannot leave the management of this issue at simply expecting compliance to a policy. Business stakeholders must be closely involved in defining the business imperative for tracking data relevance and the value of data. Data specialists equipped with the appropriate tools will be required to specifically find data and manage it based on defined policies.

Conclusion: While there is a limit to what organisations can do when criminals misappropriate corporate brands to run phishing campaigns against customers, this does not absolve organisations of all responsibility. Crime on the Internet continues to be an entirely foreseeable risk, so organisations should review their customer engagement processes to ensure they are not training their customers to be easy targets for criminals.

Conclusion: There are two compelling information security reasons for creating a sense of purpose and ownership within an organisation. The first is that a sense of purpose and ownership will empower staff so that they move from responding to basic security hygiene matters, towards pre-empting issues. The second reason is so that organisations look out beyond themselves and work towards a more resilient ecosystem.

This level of resilience maturity is vital and will be driven by leadership and a continuing commitment to talent development. Astute security leaders will use cultural indicators such as engagement and sense of purpose and ownership, as a guide to the ability of the organisation to withstand security incidents.

IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.

Conclusion: IT executives in financial services organisations have expressed frustration at the seemingly vague requirements of APRA, but this misses the true intention of APRA. APRA is not anti-Cloud, but the regulator insists that financial services organisations consult with APRA so that APRA can gauge the maturity of the proposed plan. This is not a mechanism to forbid Cloud, but rather a sanity check to ensure the stability of the Australian financial market by ensuring that organisations are not abrogating their risk identification and management responsibilities.

Conclusion: Open Data initiatives have been supported by all levels of enterprises, especially government, for a number of years. To date the success stories have not matched the hype.

In many cases local IT departments have been left out of Open Data initiatives.

Conclusion: The IT industry has hit a breaking point where the artificial grouping of information security and IT has left many organisations vulnerable. Business units have viewed information security as an IT problem, and IT has abdicated responsibility for many aspects of operations that should be viewed as basic hygiene. It is time for organisations that want to establish a reputation of trust with their stakeholders, to view information security very differently. This will require IT to take on more responsibility for security hygiene issues, and for many security practitioners to make the mental shift from technical do-ers to risk communicators. All organisations must know who, internally, is ultimately accountable for cyber-security and that this person is adequately informed, and empowered to execute on this accountability.

This paper explores why IT security in supply chains is an important topic and sets out a model for organisations to review their exposure and then communicate these issues internally, and with suppliers.

The IT dependencies that organisations now have are largely invisible and can be easily taken for granted, much like the infrastructure involved to have electricity or water be provided to a home. And just like electricity and water, when there is an incident in the IT supply chain, the impact can be considerable on the end consumer.

 Security in the supply chain can seem like an overwhelmingly technical topic, and it is a large topic, but it is not insurmountable. An increasing number of security leaders are looking at the supply chain as the ecosystem that their organisations operate in, and are starting to work on securing the resilience of every link in the chain – and this will take time, effort, and collaboration.

Conclusion: Lockheed Martin’s Cyber Kill Chain framework is a potentially valuable perspective for highly risk averse and highly targeted organisations. Its language is militaristic and technical, which means that it is most suitable for people already inclined to that way of thinking, but in contrast, it may be inappropriate and ineffective with other audiences. Due to its militaristic language, the policy intentions of this framework may be (and have been) reinterpreted by stakeholders, resulting in a misalignment of effort in managing risks.

Conclusion: travelling executives must be under no illusion that if corporate information on, or accessible via, their electronic devices is of interest to the economic wellbeing of a foreign country, they will be targeted for electronic intrusion. The potential value of the information to a third party will be directly proportional to the effort they may expend in getting it. The more an organisation has at stake, the more important it is that this is a risk-driven conversation, not a technology one, because the technology does not matter if an executive’s behaviour does not alter to match the risk.

Conclusion: organisations moving traditional enterprise applications into production on AWS will find backup and recovery functional but immature compared to their existing on-premises Enterprise Backup and Recovery (EBR) tools.

Storage administrators need to understand the native backup and recovery methods in AWS and determine how these can be used to meet the business’ recovery objectives. The optimal AWS solution may require adopting new tools and rethinking long-held assumptions.

Conclusion: When considering using cyber-insurance to deal with the potential costs associated with a successful attack, there are important considerations that CIOs and CISOs should be highlighting to operational risk and finance executives. Most organisations will need to raise their risk maturity substantially, and this means investment as well as changes to practices, before they are in a position to be able to take advantage of cyber-insurance.

Conclusion: Security leaders should approach security frameworks as a challenge to how the organisation secures its information assets. So, security leaders should be able to defend adherence, or variation, from any point on a chosen framework. Variance may be critical for business function, but the security leader needs to know this and be able to articulate it. This is not an argument for non-compliance, but toward a deep understanding of business requirements – and being able to defend this position to internal and external auditors.

Conclusion: Cyber-insurance will be an inevitability for all organisations. However, executives should be clear on what level of cover they are buying, what incidents they are getting cover for, and the costs and impacts on the organisation that insurance cannot (or may not) cover.

An exploration into the feasibility of cyber-insurance is likely to raise good questions about whether an organisation has sufficient controls in place, as well as to what degree the organisation is willing to self-insure. But these questions, like the purchase of cyber-insurance, can only be addressed by the business.

Conclusion: The deadline for compliance with the Privacy Act passed in March, yet some organisations have not yet started reviewing their level of non-compliance. More mature organisations have been proactive and, in projects driven by the business, have reviewed and addressed areas of non-compliance. Some of these projects are still underway. These proactive organisations have the view that the cost of ensuring compliance is outweighed by the potential damage to the organisation’s reputation in the event of a publicly disclosed privacy breach where the organisation is found to be at fault.

Conclusion: Many IT executives are still unclear as to their obligations under the amended Privacy Act. IT executives should use the Privacy Act as an opportunity to start transitioning into a technical advisor role for their organisation. They should avoid falling into the trap of trying to unravel the Act from a legal perspective. It is paramount that the business understands that while IT can take leadership on a project for compliance with the Privacy Act, compliance is a business obligation and not an IT problem.

Conclusion:Accusations against Huawei of spying for the Chinese Government are destabilising confidence in this vendor in the local market. Consequently, the key challenge for Huawei in the enterprise IT space will be a growing reticence by people to be trained in a technology that is being positioned by the intelligence community as a political pariah. This will create a shortage of people trained in Huawei enterprise network equipment and will lead to a sellers’ market for these skills. This will add considerably to the ongoing costs of opting for a cheaper vendor.

Conclusion: As physical and digital supply chains become more integrated across organisational, regional, and national boundaries, the potential impact of an emergency or crisis can be far reaching. A proactive approach to crisis management requires an awareness of all the high-impact crisis and emergency events that could affect an organisation, and requires appropriate tools for risk assessment and active hazard management.

Conclusion: Over the last five years the market of crisis management and emergency response systems has undergone a rapid evolution. Innovative solutions exploit the proliferation of smart mobile devices, the continuously growing number of available data feeds, the simplicity of the deployment models afforded by the Web, and powerful geographic information system functionality. Given the maturity of some of the available solutions, it makes sense for larger organisations in the public sector and for utility organisations to consider the deployment of a modern crisis management and incident response system.

Conclusion: Predictably, Apple’s lead with its Touch ID biometric reader will be followed by the smartphone industry, and we will see a flood of biometrics options for consumers. Many of these biometric deployments will not be well executed, and the failures of these systems will impact the feasibility of biometrics as a means of authentication. Reliance on biometrics, which are used across multiple systems, yet cannot be revoked, will make fingerprints an obsolete authentication credential which will need continual bypass options. Within the next two years, fingerprint authentication in the enterprise will be rendered obsolete.

Conclusion: Application whitelisting is a highly effective mechanism to minimise the impact of malware, and even ensure software licensing limits are enforced, but it is not a simple project and the technology to enforce a whitelist is still maturing. CIOs of Australian government agencies required to comply with the Protective Security Policy Framework and Information Security Manual (ISM) should have a clear plan to present to their Ministers on how this project will be delivered over the next 18-24 months.

Conclusion: While the capability to filter content to corporate-issued smartphones and tablets is a capability that a number of organisations are interested in, very few organisations have taken this step. Most organisations are taking the view that the risk of an employee accessing inappropriate content while on a 3G/4G connection, and offending their colleagues, is low, and best managed through line managers and policy. Typically these trusted staff are also reasonably senior, hence their being issued with a corporate device. The perspective changes, though, if the organisation is concerned about field staff wasting time. In these instances, restrictions are seen as an aid to productivity and the device is heavily restricted.

Conclusion: As organisations become increasingly dependent on computer systems, IT will have an increasingly important role to play in preventing and detecting fraud. CIOs must ensure that there are sufficient checks and balances minimising the risk of IT professionals abusing their elevated systems privileges, and that systems are configured to produce useful logs. CIOs should also ensure that policies for the prevention, and detection, of fraud are tested and enforced. Policies for log management and data retention should get high priority.

Conclusion: Security incident and event management (SIEM) products can deliver solid insights into the security status of an organisation’s network. However, SIEM requires ongoing support, mature change control processes, and rapid and open communications between diverse teams within the IT department - as well as the rest of the organisation! A successful SIEM deployment must factor-in the resources required for ongoing support. These resources will be in proportion to the complexity of the network.

Conclusion: Every technology trend in the financial services sector (principally BYOD, changes in cybercrime, cloud, and DLP) has an aspect of identity and access management. IBRS research on the identity management market in Australia has found that there is a very small resource pool of sufficiently skilled practitioners. This means that the financial services organisations in Australia face a significant challenge in the coming years, primarily from a lack of good security people to architect, execute, support and monitor technical controls.

Conclusion: Cloud computing has multiple dimensions that must be considered when analysing risk. The use of four key variables can rapidly identify the expected level of risk in a cloud computing scenario. These four variables – deployment model, geographic location of data, supplier arrangements and information criticality – can be quickly applied to assess the level of risk and determine a suitable mitigation strategy.

Conclusion: Risk management and quality are two sides of the same coin. Building quality into organisational decision-making processes and systems is only possible if operational risks are well understood. The results of risk analysis should be a key input for the design of enterprise architectures and systems. It all sounds obvious, but risks associated with the decision-making processes in an organisation are only rarely quantified in terms of likelihood, impact on external parties, and potential costs.

Conclusion: From adversity springs creativity. History shows straitened economic times can serve as a greenhouse, rapidly germinating seeds of ideas that may otherwise have taken longer to establish themselves. Six clear trends have emerged from the Global Financial Crisis (GFC) providing business advantage to early adopters. The common thread is their potential to deliver organisational efficiencies, savings, or both. IBRS believe these trends are likely to deserve a place in the IT firmament for a considerable time. CIOs should defensively review these trends; the outcome may be selective adoption or deferral, but their potency cannot be ignored.

Conclusion: Analysing the challenges of portable electronic devices (PEDs) through the PED trilemma model breaks down the problem into three addressable aspects which can more easily be tackled, often by non-technical means. IT departments can manage the inundation of PEDs into corporate networks; but only with unambiguous commitment from senior business managers. IT can get commitment from these managers by using charge-back models.

If we put a dollar sign in the middle of the trilemma, we can show that expansion on any of the three sides results in a total increase in support costs (represented by the area in the middle). IT should use charge-back models for PED support to the business units. An appropriate charge-back mechanism forces business units to carefully consider their choices. The days of gluing up USB ports are long gone.

Conclusion: The securing of online banking through one time passwords delivered via SMS: provides two factors of authentication, is cheaper to deploy than tokens, increases the customers’ sense of security, and introduces online banking customers to the idea of secure banking on their mobile phones.

However, introducing a widely adopted, variable-cost, service like one time password via SMS is not sustainable because it is inevitable that the cost of the SMS service will exceed the cost of online fraud, which is already at very low levels1. Until mobile banking and EMV smartcards become more commonplace, banks should choose the better strategy of using SMS authentication, as it supports the product roadmap for online and mobile banking.

Conclusion: At the start of the year a resurgence of interest in Identity Management was heralded as one of a series of IBRS technology predictions for 2007. Subsequent vendor activity1 has borne this out and more market activity is likely to follow.

Conclusion: Effective and responsible management of IT security should concern executives at the highest levels of management. Leading practice suggests, but does not mandate, separation of the IT security function from the IT management function. One of the ways that this can be achieved is with the appointment of a Chief Information Security Officer (CISO) with total accountability for all IT security matters within the organisation. A pro forma Position Description for the CISO role is provided herein.

Conclusion: Last month I wrote advising IT practitioners to learn the language of risk management, particularly in the context of ANZ/NZS 4360:2004. The article also contained advice to ensure that IT has a place at the decision-making table when considering the implementation of corporate risk management software.

An assumption was made in the article that in your organisation some corporate risk management initiatives were already under consideration. However, suppose this is not the case. How can the IT practitioner pitch a case for an Enterprise Risk Management (ERM) project as a strategic system? This article provides a guide for doing so, allowing the IT practitioner to assert leadership in a burgeoning area of corporate practice.

IS organisations attack increasing client systems support costs by implementing a desktop "lockdown" or Standard Operating Environment (SOE). However, if they do not give enough attention to the process and planning that is required to lock down their desktops their project will fail because of political and cultural problems, and because lockdown may prevent users from doing their jobs efficiently.

Conclusion: In business and government, the subject of risk continues to be a hot topic. It’s covered regularly by the commerce and technology-oriented sections of the media and is increasingly being discussed and actioned at Board and executive levels. Because of the corporate appetite for risk methodologies and tools, a burgeoning IT industry has developed providing risk management software.

Conclusion: Organisations that do not treat information security risks seriously could pay a heavy price if a major incident occurs and they are unprepared to deal with it.  

In April new Federal anti-spam legislation will ban local spammers from operating; otherwise they could face penalties of over a million Australian dollars a day. According to the Coalition Against Unsolicited Bulk E-mail, the purpose of putting this legislation in place is to stop spammers, and make Australia appear credible when looking to other countries to adopt the same type of law.

Changing business processes and systems to comply with legislative requirements is a major hidden cost in the public and private sector. Ironically, it is also one of the least referenced in the research literature.

SPAM is a terrible problem, from cutting productivity, threatening security, offending the morals of millions, planting doubt in the most macho man, and just irritating anyone with email. 2003 has seen many headlines about SPAM and how companies and governments are going to tackle it head on.

Conclusion: Security awareness programs are an attempt to change staff behaviour for the protection of an organisation’s information assets, and also an attempt to change corporate culture to support and encourage desirable behaviours. However, security awareness programs also run the risk of overwhelming staff with too much fear, uncertainly, and doubt. A disempowering message is more likely to result in either no behavioural change or, potentially, an undesirable change. Instead, security awareness programs should focus on helping staff develop and sustain the skills and knowledge required to execute on their work, and also maintain a mind state of “relaxed alert”, or “Code Yellow” in Cooper’s Colour Codes.