What’s the IRAP Assessment?
Government bureaucracies get a bit of a bum rap; too often, people perceive them as stodgy and resistant to change. But just like the majority of big private actors, federal governments around the world have undertaken pretty substantial digital transformation projects, adopting the latest in digital technology to make their processes and agencies more accessible to the people.
Of course, digitization does have its risks. For one, online repositories aren’t impenetrable fortresses. They can be susceptible to breaches by motivated, non-state actors. As we read in the headlines almost every day, those actors have quickly closed the capabilities gap with governments. So what are governments doing about the new threats?
Since the mid-2010s, the Australian federal government has invested significant resources in cloud computing. In turn, it’s also ramped up protective information security measures, like creating the Information Security Manual, which is “designed to assist Australian government agencies in applying a risk-based approach to protecting their information and systems… and includes a set of information security controls that, when implemented, will help agencies meet their compliance requirements for mitigating security risks to their information and systems.”
The ISM outlines what measures firms need to take if they want to handle sensitive government information. To handle information deemed “protected,” third-party service providers need to receive a certification from the Information Security Registered Assessors Program, better known as IRAP.
IRAP is a multi-stage certification process that starts with a security assessment, in which an IRAP assessor, the only person who can conduct a sanctioned-assessment, gets a detailed understanding of the applying provider’s system. At this time, the assessor reviews system architecture, operating procedures, and documentation, including the following:
- An overarching information security policy and threat risk assessment
- A system security plan
- A security risk management plan
- An incident response plan
The Assessor is looking for evidence of compliance with existing information and communication technology requirements, before making an initial report of relevant findings.
After that stage, the Assessor conducts an even deeper security assessment, focusing now on evidence of compliance. At this time, the assessor conducts a site visit, interviewing key security personnel, investigating implementation of security controls, and looking at relevant certifications and waivers.
From there, the assessor makes a final report of areas of compliance and non-compliance, issuing a certification recommendation. That recommendation goes to the Trust Framework Accreditation Authority. That Authority makes the final decision on whether to grant certification, weighing factors like residual risk and remedial measures taken.
For more great content from Noggin, visit our Resources Center.