Organisations need a robust Governance, Risk, and Compliance (GRC) framework to ensure risks & issues are identified, remediated, and managed. In today’s environment with proliferation of cyber-attacks and endless zero-day vulnerabilities this is particularly critical for cyber risks. This is generally referred to as taking care of the Cyber Hygiene in an organisation and it refers to an organisation’s ability to remain operational whilst building cyber resilience into its business as usual activities. The flip side of risk is “Trust”, the more an organisation removes “risk”, the more “trust” it gains or builds.
The 4th industrial revolution will drive a transformation never ever seen due to its size, scope, and complexity. No doubt this potentially introduces “risk” into many if not all aspects of the business and “cyber trust” will become one of the most valued commodities, more so than ever in this digital economy of ours. At its basic activity, cyber remediation is the intent to continue to provide confidence that an information system within an organisation can align itself to the goals of confidentiality, integrity, and availability. The problem stems from the fact that organisations don’t have an endless resource pool to ensure each control becomes an embedded process in the fabric of the business and operational environment.
A risk based approach is needed to provide a balanced review of an organisation’s agreed security posture in alignment with any number of agreed outcomes. For instance, the decision an organisation would make on what critical infrastructure and applications it would consider to be of high priority for remediation, what strategic priorities the organisation has agreed upon and budgeted for, and what data considerations have to be part of the decision making for strategic projects, as well as any advice the organisation had received with respect to previous audits and how the findings were managed and remediated.
AUSCSEC’s cyber remediation service identifies cyber security risks and issues, assisting in documenting them, categorising, and classifying (as per ICT risk matrix see below) and provide plans for remediating or managing these risks.
AUSCSEC can engage in anything from a very specific cyber risk or an issue, to taking on a full responsibility of remediating risks and issues as identified via our “assessment and audit” service or through another third party. AUSCSEC will assist in documenting and implementing remediation recommendations in co-design with you.
This is also done in consideration of existing investments, any budgetary cycles and compliance requirements, such as the Australian Government’s Information Security Manual (ISM), ISO 27001 or NIST framework.
Thus, enhancing your organisation’s maturity against the government’s Essential 8(E8) maturity model and demonstrating your adherence to other standards to ensure compliance through the end-to-end supply chain.
This also provides your organisation the opportunity to enhance your security posture through maturing controls you have already implemented and mentoring and assisting your end-to-end supply chain i.e. other suppliers, manufacturers, distributors, retailers and clients etc. ensuring you are securing not just your immediate supply chain but also you have vision and confidence in your third-party suppliers outside of your own patch.
This is particularly crucial if you are working with providers supporting critical infrastructure assets or other government agencies. The table below demonstrates the likelihood of a risk happening and the consequences that risk has without remediation. This table also defines the roles and responsibility of the business owners in the presence of a final risk outcome, what ongoing management of that risk will be required and who can review it
- A consistent approach to the management of risks across the organisation.
- Clear roles, responsibilities, and accountabilities in cyber remediation process.
- Documented Risk and Issues register with remediation options and their specific actions with estimated time of completion.
- Risk acceptance criteria and process.
- Significantly diminished exposure to risk, Improved security posture.
- Investment to mitigate risk leads to a reduced impact of any residual risk and minimises any effort and financial investment of any further remediation.
- Risk management becomes an integral part of organisations planning and decision-making processes.
- Improved security posture facilitates new business due to a perceived supply chain security posture, especially when dealing with government opportunities.
Real Life Example:
AUSCSEC team members implemented risk management framework in a small Federal agency department. The process quickly identified a risk of a potential data breach, while the data is in transit. Potential impact would have led to breach of personal identifiable Information (PII) data of all personnel. We worked with key stakeholders in identifying several remediation options giving due consideration to data requirements of different user groups, and secure mode of transmission.
In the agreed and accepted remediation solution, we had to limit sharing of proprietary IP of database elements of the software developers to avoid a breach of contract and ensure only evaluated hardware and software products were used in the solution. Remediated solution was only released into production systems post an iRAP assessment. The system remains under monitoring and cyber security management.