Request a Demo

Fill in the form below and we will contact you shortly to organised your personalised demonstration of the Noggin platform.

The Noggin Platform

The world's leading integrated resilience workspace for risk and business continuity management, operational resilience, incident & crisis management, and security & safety operations.

Learn More
Resilience Management Buyers Guide - Thumbnail
A Resilience Management Software Buyer's Guide
Access the Guide

Who We Are

The world’s leading platform for integrated safety & security management.

Learn More
Whitepaper

Guide to Understanding the Benefits of Integrated Safety and Security Management

Noggin

Security Management Software

Updated July 14, 2023

IRAP and information security

Housed within Australia’s Department of the Defence, the Australian Signals Directorate is responsible for guarding the federal government’s information and systems. In this age of digital transformation, the two, information and systems, must be treated cohesively and coherently. After all, vast quantities of the sensitive government information and classified intelligence gets stored in online systems.

To enhance information security in the midst of wider digital changes, the government employs measures like the ISM, the Australian Government Information Security Manual, which is put out by the Australian Signals Directorate. The ISM is “designed to assist Australian government agencies in applying a risk-based approach to protecting their information and systems… and includes a set of information security controls that, when implemented, will help agencies meet their compliance requirements for mitigating security risks to their information and systems”i

Essentially, the ISM lays out the required technical measures that organizations have to take in order to handle information at various levels of secrecy. Service providers looking to handle sensitive government information must therefore comply with the security dictates spelled out in the ISM. Which brings us to the Information Security Registered Assessors Program, better
known as IRAP. 

It is IRAP that provides the framework for assessing third-party IT system providers who seek to process, store, and/ or transmit government data up to the protected level of classification, the compromising of information held at this level of classification causes damage to the national Interest, organizations, or individualsii

So, what, then, does the Assessors program actually do? Well, IRAP provides customers of the Australian government the validation (of their information security controls) they need to handle sensitive government information. 

How to get IRAP-certified

Getting IRAP-certified requires passing a rigorous, multi-stage assessment program, undertaken by an IRAP-accredited assessor. The assessor is the only person able to perform a government-sanctioned review of a provider’s information security systems. 

The assessor’s responsibility is to designate areas where the applying provider complies and (conversely) doesn’t comply with IRAP requirements, as well as to describe risks and corrective actions that applicant should take. At the end of the process, the assessor will give recommendations to a Certificate Authority on whether the applying provider should be certified. 

The evaluation proceeds in two stages. During the first, a security assessment identifies security deficiencies. The applying provider then has the chance to rectify or mitigate those deficiencies. The second security assessment follows up on residual compliance.

During the assessment process, applying providers should expect rigorous documentation review, site visit(s), and interviews of key, internal security personnel. Out of those measures comes the (final) Findings Report, which gets transmitted to the Trust Framework Accreditation Authority for consideration, pursuant to the Trust Framework Accreditation Process. 

In more concrete terms, each stage in the assessment includes the followingiii:

During stage one, the Assessor:

  • Defines the statement of applicability in consultation with the system owner.
  • Gains an understanding of the system.
  • Reviews the system architecture and the suite of system security documentation, including:
    - The overarching Information Security Policy and Threat Risk Assessment
    - The System Security Plan
    - The Security Risk Management Plan
    - The Incident Response Plan 
    - Relevant Standard Operating Procedures
  • Seeks evidence of compliance with the government’s ICT (information and communication technology) requirements and recommendations.
  • Highlights effectiveness of government ICT controls and recommends actions to address or mitigate non-compliance.

During stage two, the Assessor:

  • Looks deeper into the system’s operations and security controls.
  • Conducts interviews with key personnel.
  • Investigates the implementation and effectiveness of security controls in reference to the security documentation suite.
  • Checks on all physical security and information system certifications and any related waivers.

Understanding the role of the Trust Framework Accreditation Authority

The entity that manages the Trust Framework Accreditation is the Trust Framework Accreditation Authority. Once the IRAP Assessor makes a certification recommendation, the Authority will assess any residual risk and corrective actions, before making the final decision on whether to grant certification. 

Outside of the IRAP process, the Authority is also responsible for the following: 

  • Ensuring that the Trust Framework Accreditation Process is conducted with due care and in accordance with the published Trust Framework documents.
  • Reviewing, within agreed timeframes, all relevant Applicant documentation to ensure conformance to the published Trust Framework documents.
  • Considering all reports and recommendations from Authorized Assessors.
  • All decisions in relation to the accreditation of Applicants and ongoing accreditation of Accredited Providers, including decisions to accept a nonconformance against the Trust Framework requirements where it considers evidence provided by the Applicant is sufficient in favor of non-conformance. 
  • The Trust Framework Accreditation Authority interprets conformance against Trust Framework requirements as either: 
    - Demonstrating compliance against Trust Framework requirements.
    - In a protective security context, the Trust Framework Accreditation Authority accepting a waiver for the use of alternative controls. See the Trust Framework: Protective Security Requirements for further information on waivers.

The cybersecurity picture: benefits of IRAP certification

So, what’s really driving initiatives like IRAP? The assessor’s program is part of the government’s wider focus on accelerating cloud adoption, especially public cloud adoption, in its agencies. A pivotal moment in this trajectory came in 2014 when the government released its inaugural “cloud-first” policy, marking the official adoption of a cloud-computing strategyiv

In this respect, the government is acting like a lot of actors in the private sector. They too are digitizing the bulk of their services, hoping to recoup the benefits of cloud computing to information storage and sharing, i.e. greater accessibility, mobility, efficiency, and productivity. 

For the government though, bringing critical services and sensitive information into the cloud also creates a set of stark security risks. For one, that information all becomes highly susceptible to malicious cyber activity, as acknowledged in the pages of the ICM: 

Australia continues to be the target of persistent and sophisticated cyber exploitation activity by malicious actors. The most prevalent threat to Australian networks is cyber exploitation; that is, activity by malicious actors to covertly collect information from ICT systems. Australia is also threatened by the possibility of cyber attack—offensive activity designed to deny, degrade, disrupt or destroy information or ICT systemsv.

 

Noggin ready to handle IRAP-protected classification in national incident and case management response to critical events

Luckily, safety and security vendors are making that cloud-first pivot alongside the government. Global industry leader in safety and security technology, Noggin, for instance, has announced successfully completing an audit of the Noggin 2.0 platform under the Information Security Registered Assessors Program (IRAP).

Noggin’s IRAP assessment, the first in its class, means that its leading incident, risk and case management platform can be used by state and federal agencies to manage information classified up to Protected, in alignment with the Australian Government Secure Cloud Strategy. The Noggin platform itself can be flexibly configured to solve a wide range of business problems; so, the ability to handle IRAP-protected classification now creates new opportunities to securely digitize workflows, information, and systems across all levels of government. The Noggin IRAP assessment has already been exploited by initial adopters in government.

How did we do it? Noggin worked closely with an IRAP-accredited assessor to pass a rigorous, multi-stage assessment program, based on a risk assessment model. The independent and accredited assessor reviewed Noggin’s systems and assessed the actual implementation and effectiveness of security controls, including people, processes, and technology, so as to ensure those systems address the needs of the ISM.

With the IRAP assessment, Noggin has made available a special Protected level hosting option to eligible customers as an add-on to their subscription. To be eligible to subscribe to this IRAP-Protected Hosting option, customers are required to comply with the ISM up to the level of PROTECTED and must be recognized as having a need to operate up to a PROTECTED level.

What’s Noggin saying about the news Noggin CEO, James Boddam-Whetham:

“We are thrilled to have scored our IRAP protected-level government security tick, “The Noggin integrated safety and security software platform has been used extensively by federal and state government public safety response agencies and by corporates supporting the Australian bushfire season response over the last several months. Now, users can get the added security of IRAP, allowing them to run mission-critical work, with added security features. The Noggin platform comes with a library of best practice solutions for business continuity, emergency and crisis management, security operations, case management and safety, all of which are areas where security information management is a highly important selection criteria.”

Noggin CISO/CTO Owen Prime:

“There is a genuine need for agencies to be able to benefit from modern software-as-a-service like Noggin for information management at the Protected classification level. A fully managed turnkey solution means agencies can now rapidly deploy with the confidence that they are meeting their security obligations, but without the costly burden of separately going through the audit process themselves.”

Finally, with measures like IRAP as well as a new protective security policy framework, the government is responding to this new risk environment, marked by an increased motivation on part of malicious cyber actors, the flattening of the capabilities gap between those actors and governments, and the concomitant growth in technology based vulnerabilities. 

It’s safe to say then that the government is serious about protecting its information assets through stringent security protocols. If a vendor is considering doing business with the government, which often entails handling sensitive information, that firm will most likely have to hew to these tough new strictures, up to and including undergoing the IRAP assessment. 

Businesses shouldn’t think of this process as a burden though. Besides furthering their own cybersecurity competitive advantage, firms will also find that the rewards of doing business with the sprawling federal government are themselves significant. 

Not only is the government one of the country’s largest employers, but it procures billions in information and communications technology services every year. In 2014, for instance, total public-sector expenditure (combining state, territory, and federal) for these services was around 30 percent of the total domestic marketvi. The market continues to grow apace, and safety and security management technology providers, like Noggin, are there to seize it. 

Citations

i. Australian Government Digital Transformation Office: Third Party Identity Services Assurance Framework: Information Security Registered Assessors Program Guide. Available at https://www.asd.gov.au/publications/irap/IRAP_Assessment_Reporting_Guide.pdf.

ii. Australian Government Attorney-General’s Department: Protective Security Policy Framework. Available at https://www.protectivesecurity.gov.au/ informationsecurity/Pages/AustralianGovernmentSecurityClassificationSystem.aspx.

iii. Australian Government Department of Defence: What is an IRAP Assessment? Available at https://www.asd.gov.au/infosec/irap/irap_assessments.htm.

iv. Australian Government Department of Finance: Australian Government Cloud Computing Policy. Available at https://www.finance.gov.au/sites/default/ files/australian-government-cloud-computing-policy-3.pdf.

v. Australian Government Department of Defence Strategic Policy and Intelligence: 2016 Australian Government Information Security Manual. Available at https://www.asd.gov.au/publications/Information_Security_Manual_2016_Exec_Companion.pdf.

vi. Australian Government Department of Finance: Australian Government Cloud Computing Policy. Available at https://www.finance.gov.au/sites/default/ files/australian-government-cloud-computing-policy-3.pdf

 

New call-to-action