Share this article
Our client employs more than 3,500 staff across 29 locations with significant national critical infrastructure.
Given the complex nature of the client’s systems, they required the development of a security architecture that took into account the ICT environments, as well as Australian Government Information Security Manual (ISM) and the Protective Security Policy Framework (PSPF) considerations.
Many of the systems that were deployed used inconsistent or bespoke security methods, controls, and supporting systems, so one of the key aims was to standardise the security model in accordance with the risk profile of the business and mandated guidance (i.e., the ISM and PSPF).
The Security Architecture Project was to develop a detailed description of the security elements that were relevant across The client’ ICT environment and to use these to form a series of secure patterns to assist in the development of new systems.
Our approach was to develop the security architecture in a highly structured way, to ensure that all requirements and security elements were incorporated and defined. The consultant was placed with the Enterprise Architecture team, with reporting also to the CISO.
The methodology used to develop the architecture was to:
Identify the ICT Architecture principles, security principles and security framework
Define the relevant security domains
Develop a series of security service layers corresponding to the control requirements of the ISM and PSPF, as well as any relevant risk management plans
Describe the security control outcomes required for each security service layer
Set clear rules for the flow of data and provision of services between security domains
Describe the governance model used to enforce the security architecture
Create a series of architectural patterns to assist in system design across multiple security domains
While developing the security architecture, multiple meetings, workshops and review sessions were held to seek input and review commentary from stakeholders. This was complex due to the competing nature of some stakeholder roles, but resulted in an outcome that met the client’s original requirement and was demonstrably compliant with the ISM and PSPF.
The Security Architecture that was developed was endorsed by the Chief Technology Officer, Chief Information Security Officer, and lead Enterprise Architect. The benefits to The client included:
Establishment of a baseline for new system design that was clearly and demonstrably compliant with the ISM and PSPF while leaving flexibility for risk-managed decision making.
The identification of systemic flaws in the security of the enterprise ICT environment that could be targeted at a future time.
Clear information on how security controls should be implemented in the technical, governance, personnel, and physical aspects of modern ICT.
Speak with a Tesserent
Tesserent is a full-service cybersecurity and secure cloud services provider, partnering with clients from all industries and all levels of government. Let’s talk.