The ASD’s post World War II radio origin secures cloud security today
The Australian Signals Directorate (ASD) is the government’s agency for signals intelligence and information security with origins tracing back to the formation of the Defense Signals Bureau in 1947 during the early years of the Cold War.
The History
The Australian Signals Directorate is part of the Australian Intelligence Community and plays a vital role in gathering foreign intelligence signals, assisting the Australian Defense Force (ADF).
The Australian Intelligence Community began as the UKUSA Agreement. The UKUSA Agreement was signed following World War II on March 5, 1946, which formalized the basis of what eventually became SIGINT.
Originally, the agreement was only between the United States and the United Kingdom, but it would later include Canada, New Zealand, and Australia by 1956. This agreement was not officially acknowledged until 2010, even though its existence was known in the 1980s.
The UKUSA Agreement aligned Australia, the United States, New Zealand, the United Kingdom, and Canada as allies in signal intelligence and communications. It has evolved over the years into a partnership working toward global cybersecurity.
What does the ASD do?
The ASD has contributed to global cybersecurity in several different ways. Key contributions include the Information Security Manual (ISM), the Essential 8, and the Information Security Registered Assessors Program (IRAP) Certification.
Learn more: Get IRAP Certification
The Information Security Manual
The ISM provides a comprehensive cybersecurity framework designed to enable organizations to safeguard their systems and data against cyber threats. By integrating this framework with their existing risk management practices, organizations can enhance their cybersecurity posture.
The ISM serves as a valuable resource for Chief Information Security Officers, Chief Information Officers, cybersecurity professionals, and information technology managers, equipping them with the necessary guidance to fortify their digital infrastructure and mitigate potential vulnerabilities.
The Essential 8
The ASD also maintains the Essential Eight mitigation strategies, which are a set of prioritized cybersecurity measures recommended by the Australian Cyber Security Centre (ACSC) to help organizations protect themselves against a range of cyber threats. They are:
- Application whitelisting – Allowing only approved and trusted software programs to run on a computer system.
- Patching applications – Fixing security flaws or vulnerabilities in software programs.
- Configuring Microsoft Office macro settings – Adjusting settings to prevent Word, Excel, etc. files from automatically running small programs or instructions without your permission.
- Application hardening – Strengthening software programs by removing or disabling features that could potentially be exploited.
- Restricting administrative privileges – Limiting full admin access only to IT staff, preventing regular employees from making system-wide changes.
- Patching operating systems – Applying updates to fix known security vulnerabilities in the core software that runs your computers (e.g. Windows).
- Multi-factor authentication – Requiring additional verification steps beyond just a password when logging in, such as a code sent to your phone.
- Daily backups – Regularly copying important data and information to a separate storage location for safekeeping.
These strategies are considered essential baseline mitigation strategies that can be implemented to prevent and limit the extent of cybersecurity incidents.
Learn more: Mastering Cybersecurity: Your Guide to the Essential Eight Australia Strategy
IRAP Certification
The Information Security Registered Assessors Program (IRAP) is an initiative by the Australian Signals Directorate (ASD) to provide a framework for assessing the security of cloud services and systems used to handle Australian government data.
The IRAP process involves the following key steps:
- Engagement of an IRAP Assessor: Organizations must engage an independent IRAP assessor accredited by the ASD to conduct the assessment. These assessors are trained and certified by the ASD.
- Scope Definition: The scope of the assessment is defined, specifying the cloud services, systems, and data environments to be evaluated.
- Security Control Assessment: The assessor evaluates the implementation of security controls based on the ISM published by the ASD. This includes reviewing documentation, testing controls, and assessing the overall security posture.
- Risk Assessment: A risk assessment is performed to identify and analyze potential risks associated with the cloud service or system being assessed.
- Certification and Recommendation: Based on the assessment findings, the IRAP assessor recommends whether the cloud service or system should be certified for handling government data at a particular classification level (e.g., PROTECTED, UNCLASSIFIED).
- Certification by ASD: The ASD reviews the assessor’s report and recommendation and decides whether to grant certification for the cloud service or system.
- Ongoing Monitoring: Certified cloud services and systems are subject to ongoing monitoring and re-assessment at regular intervals to ensure continued compliance with security requirements.
The IRAP process aims to provide assurance that cloud services and systems used by Australian government agencies meet the required security standards and are adequately protected against potential threats.
How 38North Security can help you
For companies looking to attain IRAP certification, the process can seem daunting. The ASD has implemented stringent security requirements to protect the nation’s interests and data sovereignty. Meeting these comprehensive controls demands extensive cybersecurity expertise that many organizations simply don’t possess in-house.
This is where 38North Security provides unmatched value. Our team has made IRAP compliance a key focus area, investing in developing deep mastery of the framework’s nuances. We’ve cultivated specializations and partnerships that allow us to effectively navigate clients through each stage of the certification process from the preliminary assessment phase through to the final accreditation.
What truly sets us apart is bridging this IRAP proficiency with robust knowledge spanning other major frameworks like FedRAMP, CMMC, ISO 27001 and more. This cross-regulation fluency enables us to build on existing cybersecurity initiatives, amplifying previous investments rather than re-creating efforts from scratch.
From initiation through certification, 38North has the partnerships, knowledge and first-hand IRAP experience to comprehensively guide organizations through every step of this complex journey. Contact us today to begin.
