As organisations recognise the risks associated with their supply chain and outsourced services, small to medium sized companies are seeing a greater obligation to demonstrate cyber resilience within their contract terms.
The COVID-19 pandemic highlighted to many industries the benefits of business resilience, a key success criterion of which is to understand supply chain risks and establish strategies to mitigate the impact of loss of products and services. This has driven forward the need for better business continuity management, third-party risk assessments and validation of the controls managed within the supply chain.
Working to the needs of our clients, ISD Cyber have conducted many third-party risk assessments, controls audits and business impact analysis to provide assurances that supply chain risks are understood and mitigated.
ISD Cyber has also assisted many goods and service providers across Australia to enhance their approach to cyber security through implementation of Information Security Management Systems (ISMS). In addition to certification-based projects, ISD Cyber has provided general guidance and mentoring to internal teams, conducted gap analysis and audits against the Essential Eight, the Australian Privacy Act, GDPR, PCI DSS, ISM and ISO 27001.
The cyber threat to the Healthcare industry has increased dramatically in recent years, it is no longer unusual for a direct attack on systems that are designed to cause significant disruption to community services and reputational damage.
Cyber-attacks are of particular concern for the health sector because attacks can directly threaten not just the security of systems and information but also the health and safety of patients.
ISD Cyber has worked across various public and private health services to deliver assurance programs against ISO 27001, the ISM, the Essential Eight, GDPR and the Privacy Act. ISD Cyber has worked with teams to refine cyber security and business continuity strategies, building confidence and capability in the ability to anticipate, prevent, detect, respond and recover from a cyber security event by assisting in the validation of controls through penetration tests and audits.
Local and State Government requirements for information security have grown exponentially over recent years. With the increased threat of a cyber attack impacting operations, Government Agencies and Councils have established key strategies to enhance cyber security.
Governments are recognising the benefit of implementing cyber security from a risk perspective, ensuring that the required controls are appropriate to their environment and provide a higher return on investment over time.
ISD Cyber has worked with a number of Councils and Government Agencies to help refine IT Strategies, establish Cyber Security Plans and conduct System Risk Management Plans (SRMP). In addition, ISD Cyber have assessed compliance and maturity against standards such as ISO 27001, NIST, the Essential Eight, ISM, PSPF and regional standards such as the South Australian Cyber Security Framework (SACSF) and NSW Cyber Security Policy.
Not only are Government Agencies and Councils enhancing their own cyber security strategies, they are also encouraging third parties to safeguard their business, focusing on the supply chains within which they operate, and the customers they serve through implementation of the Essential Eight. As such, we are also able to assist companies that offer services to Government.
ISD Cyber has conducted information security risk assessments, gap analysis reviews (against ISO 27001, the Essential Eight and ISM) and assisted in the implementation of certifiable Information Security Management Systems (ISMS) for companies that have specific cyber security and contractual obligations. Such obligations include the DESE Right Fit For Risk (RFFR) Scheme which is mandatory to all providers of employment skills training and disability employment services.
The Financial, Superannuation and Insurance sector are highly regulated and complex environments with a vast array of stakeholders. In addition to meeting governance requirements, the industry has invested heavily in technology to deliver services, tapping into social media and the ‘Internet of Things’ (IoT) to enhance user experience and customer engagement. This investment in technology alongside being a high-profile target has meant a significant change in the business risk profile and exposure to cyber security threats.
As the gatekeepers of valuable customer data and personally identifiable information (PII), financial institutions are subject to ever-increasing cyber security rules and regulations. With pressure from regulatory agencies and the need to protect brand reputation, financial firms are motivated to provide significant investment and collaboration to improve cyber security preparedness, response, and resiliency across the sector.
ISD Cyber have worked with Australian organisations as well as those with a global presence or that have global obligations. This has resulted in a wide variety of services covering: ISO 27001 implementation and compliance audits against the Australian Privacy Act, General Data Protection Regulations (GDPR), CPS234 and the Payment Card Industry Data Security Standard (PCI DSS).
Australian utilities and associated companies are highly regulated entities. Although they have been working toward control requirements, they are amidst the evolution of significant legislation that will impose further cyber security obligations.
The Security Legislation Amendment (Critical Infrastructure) Bill 2020 was introduced in December 2020 and acknowledges the real and growing threat imposed to this industry and the impact to the Australian economy if they were to suffer a serious cyber-attack.
ISD Cyber is working closely with our clients to design cyber security strategies based on their unique risk profiles. Doing so we have utilised the following industry standards to design and communicate threats, vulnerabilities and control requirements:
- ACSC Essential Eight
- ISO 27001
- Security Legislation Amendment (Critical Infrastructure) Bill 2020
- International Association of Ports and Harbors (IAPH) Cybersecurity Guidelines
- the Australian Privacy Act
- General Data Protection Regulations (GDPR).
In addition to cyber security strategic planning and development (incorporating AESCSF, NIST and ISO 27001), ISD Cyber have supported resilience capabilities of our clients through a variety of services, including:
- Technical consulting, operations and control implementation
- Control validations/audit
- Operational risk management
- Development and testing of incident response and recovery plans, strategies, and technology
- Validating backup and recovery strategies
- Business impact analysis
- Third party risk management.