Information Security Registered Assessors Program (IRAP)
As the leading SaaS solution for TBM for Australian and New Zealand Government agencies, Apptio has undertaken an IRAP assessment against the ASD ISM PROTECTED classification.
What is IRAP?The Information Security Registered Assessors Program (IRAP) is an Australian Signals Directorate (ASD) initiative to provide high-quality information and communications technology (ICT) security assessment services to government.
What is an IRAP Assessment?An assessment is conducted through two stages, as dictated in the Australian Government Information Security Manual (ISM):
- A Stage 1 Security Assessment identifies security deficiencies which the system owner rectifies or mitigates.
- A Stage 2 Security Assessment assesses the residual compliance.
Stage 1 Security AssessmentIn the Stage 1 Security Assessment an IRAP Assessor:
- defines the statement of applicability in consultation with the system owner
- gains an understanding of the system
- reviews the system architecture and the suite of system security documentation, including:
- the overarching Information Security Policy and Threat Risk Assessment
- the System Security Plan
- the Security Risk Management Plan
- the Incident Response Plan, and
- relevant Standard Operating Procedures
- seeks evidence of compliance with Australian Government ICT requirements and recommendations, and
- highlights effectiveness of ICT controls and recommends actions to address or mitigate non-compliance.
Stage 2 Security AssessmentIn the Stage 2 Security Assessment an IRAP Assessor looks deeper into the system’s operation, focusing on seeking evidence of compliance with and the effectiveness of security controls. The IRAP Assessor will conduct a site visit where they will:
- conduct interviews with key personnel
- investigate the implementation and effectiveness of security controls in reference to the security documentation suite, and
- sight all physical security and information system certifications and any related waivers.
- describes areas of compliance and non-compliance
- suggests remediation actions.
- the residual risk relating to the operation of the system
- any remediation activities the system owner has undertaken, and
- make a decision on whether to use the product.
Do Government entities have to undertake security assessments themselves?The assessment of a CSP’s security fundamentals and its cloud services is performed by an IRAP assessor. This security assessment will be documented using the new Cloud Security Assessment Report Template. This forms the basis for agencies to conduct a risk-based review to determine if the CSP and its cloud services are suitable for handling its data. Agencies are to continue to self-assess, or procure the services of an IRAP assessor to assess, its own systems deployed to the cloud, as well as its responsibilities as defined in the shared responsibility model. Agencies remain responsible and accountable for their own assurance and risk management activities. Further, Agencies are able to conduct supplementary, new and updated cloud services assessments when an Agency wants to use a CSP’s cloud services which have not been previously assessed. This removes the need to wait for full reassessments before Agencies can adopt new cloud services.
What are the different levels of assessment?Per the ASD Information Security Manual (ISM) products are assessed against four levels of data classification requirements:
- TOP SECRET