Tasked with assisting a prominent arm of the APS with adherence to the Federal Government’s Compliance regime, Shearwater was able to:
- Integrate the Protective Security Policy Framework (PSPF) and Information Security Manual (ISM) into a maintainable Information Security Management System (ISMS) based on the International Standard for Information Security, ISO/IEC:27001 and the principles of continuous improvement
- Partner effectively with the division’s internal team to develop an overarching Risk Management framework. This Framework enabled the division to effectively uncover, prioritise and manage risks within core systems
- Prioritise and deliver key ISM documents
- Seamlessly deliver the entire engagement on time and on budget
The practices established by Shearwater and the division’s internal security team will ensure their ongoing security of information.
As a division of the APS with a highly specialised need to protect information, systems and the stakeholders that engage it daily, a bespoke Information Security Management System (ISMS) was sought.
An ISMS of this complexity would require expert input into its design, development and implementation.
As the individual responsible for management of security measures, the division’s IT Security Advisor (ITSA) said his collaboration with Shearwater was built on the surety that their Information and Communication Technology (ICT) systems can be protected against compromise.
“Improving the security posture, processes, and the information security management system is a serious and continuous business requirement,” he said.
While the division had numerous security processes in place, it recognised that the management of information security could be made more efficient through the introduction of an overarching management framework. To ensure the best possible coverage and implementation, they requested for their ISMS to:
· Be based on the International Organization for Standardisation’s ISO 27001, and
· Adhere to the Australian Government’s ISM, the standard which governs the security of government ICT systems
The ISM serves a specialised purpose by defining the technical controls that government agencies are required to put in place for the protection of electronically stored and transmitted information. The first steps in ISM compliance involves the production of several documents that describe the risks that an agency’s systems face and the protection controls currently in place.
The division’s ITSA was aware of the need to meet the ISM requirements from both a regulatory and security perspective. One of the many challenges identified during this process was the requirement to improve their information security management system, process and methodology without causing disruption to their essential activities.
“After assessing the requirements needed to achieve this task, we decided that we needed to seek the assistance of experienced external resources who could complement the existing security staff capabilities,” the ITSA said.
Following the formal process for engaging a third party, the division went to market and found Shearwater best suited to solve the organisation’s need in terms of expertise and service.
Finding Shearwater highly responsive and invested in understanding their operations, the ITSA said his team were impressed with the expertise available.
“We sensed that Shearwater provided value from the onset. Not only were they responsive but they also invested a lot of effort in understanding the way our agency operates and its goals. We conducted a comprehensive scoping call with Shearwater consultants who were able to demonstrate their competency very quickly: the questions they asked reflected care to understand the way we function. Also, their responses demonstrated rich experience in this area; they were clear on the methodology that they were to follow and were able to outline a structured approach.
“Through this scoping call, proposal and other initial interactions, Shearwater was able to instil us with the confidence that they were the right consultancy for the job. We wanted to utilise their knowledge and experience to help our team achieve the set goals,” the ITSA said.
Shearwater’s culture focuses on providing an outstanding customer experience, which means that the professional relationship does not end at the conclusion of a successful engagement. The Shearwater team is always responsive and ready to provide help and advice when needed.
“Security is an on-going process, and as an IT Security Advisor, I am comfortable with having a peer company like Shearwater to rely upon. If I have an issue or need advice, I am confident that Shearwater can provide a pragmatic and cost effective solution.
“This engagement gave the senior management assurance that the security team are tackling security threats and adhering to a structured approach in managing risk and protecting our systems from compromise,” the ITSA concluded.