When it comes to personnel and IT, it’s a high-risk environment right now. How we can work with IRAP Assessors.

When it comes to personnel and IT, it’s a high-risk environment right now.

 

  • 9 in 10 data breaches involve trusted insiders – mainly to due to negligence
  • 1 in 5 data breaches are caused by malicious employees
  • 1 in 5 lie on their job resumes
  • 1 in 5 had misrepresented their qualifications
  • 3 in 5 who have criminal convictions failed to admit them, even when asked during hiring interview
  • 1 in 5 applicants are unsuitable to hold a TSPV national security clearance
  • 1 in 4 applicants assessed as ‘not qualified’ in pre-employment integrity tests (sample size 15,000 candidates)
  • 1 in 4 applicants admit that their behaviour would be considered as “high risk” to their employers.

The consequences?

  1. Hiring the wrong person can cost businesses between 30 per cent and 200 percent of a person’s annual salary.
  2. The Privacy Commissioner will be fining organisations $1,800,000 for Data Breaches.
  3. Data Breaches are averaging between $100,000-$200,000 per incident.

The Information Security Registered Assessors Program (IRAP) is an Australian Signals Directorate (ASD) initiative to provide high-quality information and communications technology (ICT) services to government in support of Australia’s security. IRAP services include providing advice for, and assessments of, gateways, specialised government network connections, government systems, system documentation, and risk mitigation.

We can assist IRAP Assessors provide risk mitigation advice to clients about moving personnel through to security cleared positions.  The Cleard.life qualification allows the employer to anticipate an official outcome of a specific level of security clearance before the “e-Pack” is submitted. A sort of “dress rehearsal” which means it is not a short-cut to the official process. But it provides solid business information that allows the employer to make an informed decision about who of their personnel should be on the IT project … without wasting precious time (waiting for ‘unsuitable’ applicants to get through the backlogged vetting ecosystem) and money (some clearances cost around $10,000 each).

The ASD recommends seeking at least three quotes when engaging an IRAP Assessor. Note ASD does not recommend specific IRAP Assessors nor Cleard.life nor assists in selecting an IRAP Assessor for a particular task. The ASD also recommend not restricting engagement to those IRAP Assessors geographically located closest to you.

Ask your IRAP Assessor about risk mitigation methods that reduce your “security clearance” risks. As some IRAP Assessors are unfamiliar with our service, so let them know and ask them to get in touch with us.

Here is a recent case:

The $220 million contract required Telstra to submit a data protection plan within 40 days of signing it; a privacy policy or security risk management plan be submitted; that a deed of confidentiality and privacy be signed with subcontractors; and that Telstra staff with direct access to the register have appropriate security clearance.

And a list detailing security clearances for Telstra staff with access to the register is “incomplete“, the auditor reported.

 

In the Anatomy of a Cloud Assessment and Authorisation (July 2020) document

In this document is intended for CSPs, Information Security Registered Assessors Program (IRAP) endorsed Assessors and Non-Corporate Commonwealth Entities (NCCEs, referred to as cloud consumers in this document) who are subject to the Public Governance, Performance and Accountability Act 2013[1] (PGPA Act) to the extent consistent with legislation. This document assists and guides IRAP assessors, cloud consumer’s cyber security practitioners, cloud architects and business representatives on how to perform an assessment of a CSP and its cloud services, and the cloud consumer’s own self-developed systems hosted in the cloud. While this document is primarily intended for cloud consumers, this guidance can be used by any organisation considering cloud computing.

Specifically CSPs who store, process and communicate information marked up to OFFICIAL: Sensitive, are not required to have personnel with Australian Government security clearances to handle this classification of information. Cloud consumers only using information marked up to OFFICIAL: Sensitive need to ensure the CSP’s personnel pre-employment screening aligns to, or meets the intent of the pre-employment screening requirements detailed in PSPF policy 12: Eligibility and suitability of personnel.

 

An independent IRAP (ASD’s information security registered assessors program) assessment will be undertaken before the register goes live, it said, and it already has “processes and controls” in place to restrict access to sensitive information.

https://www.itnews.com.au/news/australias-telstra-run-cancer-register-has-no-security-privacy-plan-466951

 

News Flash:

Significant personnel security reforms are taking place. According to Home Affairs’ Critical Infrastructure Centre (CIC) who is tasked to mitigate sabotage, espionage and coercion and other personnel risks, the implementation of Cyber Security Strategy 2020 will usher in enhanced security obligations, legislation and a framework that will impact “Data and the Cloud” Sectors.

Read more here: https://www.cleard.life/critical-infrastructure-entities-must-now-hunt-for-spies/

 

You may also may find these articles interesting:

Manage your Third-Party Risks. Read more here.
Recruitment Agency: Improve your value proposition and your recommendations. Read more here and here.
Existing Employees: Vet them to know if they can move in to a (higher) national security designation position (SECRET, TOP SECRET, TSPV). Read more here.

Leave a Reply

Your email address will not be published. Required fields are marked *