Grace Information and Records Management (IRM) wished to extend their services in the Government market beyond the handling of classified physical materials. A future hybrid environment comprising both physical and digital materials was envisaged. This required that Grace have an ICT system secured in accordance with the Federal Government Information Security Manual (ISM). As an organisation, Grace also needed to improve their security awareness and security culture, not only within the IT support group but across the entire organisation.

Insitec was asked to review the current Grace IRM ICT environment against all relevant (by classification) controls of the ISM. Each control was investigated, and Grace’s compliance rated. A large portion of the time in the initial review was spent explaining the controls and how they related to each other. A physical review of three exemplar sites was also conducted to allow the Insitec team to better understand the physical security practices.

We validated the control list and baselined the current state environment. Then there was a discussion about the desired future state to understand the business requirements. This provided the ICT team senior leadership with a stronger understanding of the ISM and its requirements, allowing them to make informed and cost justifiable decisions.

When examining the controls, rather than looking at the exact compliance and evidence, Insitec looked at the business practice in its entirety – with a focus on how business processes and practices across the organisation interrelated. With this approach, Insitec was able to make recommendations in two key areas for each control.

Firstly, we examined each control in the context of Grace’s business. Some controls were not relevant, and we advised Grace to request the accreditation authority to accept a non-compliance for these controls. Some controls would be prohibitively expensive to implement while offering minimal security benefits or enhancements. In these cases, Insitec recommended alternative approaches or compromises between the letter and the intent of the control.

One of the key issues we faced was determining how to assist any organisation in adopting a security culture. In conducting a review, it is important that the staff and executives of an organisation understand that the intention is to resolve issues, rather than apportion blame. It is important to work with key stakeholders and ensure that all security risks are discussed in the context of business risks to the organisation. This ensures that everyone understands why security is a primary concern within every organisation.

During the build of AS-ABIS, we had to redesign the middleware layer to accommodate the differences between standards for the US systems and standards used by the Australian Department of Defence.