Australian Signals Directorate Certified Cloud Services List requirements
ASD uses the accreditation framework laid out in the ISM and your service will need to go through that process to be certified by ASD and included on the Certified Cloud Services List ( CCSL).
ISM Governance :
- ISO 9001:2008 Quality Management Systems Standard
- ISO 14001:2004 Environmental Management System Standard
- OHSAS 18001: 2007 Occupational Health & Safety Management System Standard
- ISO / IEC 27001:2005 Information Security Management System Standard
- ISO 50001:2011 Energy Management System Standard
Broadly there are 3 main elements to the process:
– Do you understand what workloads you wish to market your service to hold ?
– Do you have the necessary physical security requirements for that workload ?
– You will need to ensure your security documentation is prepared
– You can do a self assessment against the current ISM controls to gauge an understanding of your current security posture.
– You will need to engage an IRAP Assessor to conduct an independent assessment of your service. This will include a full review of your architecture and documentation, on-site inspections, interviews with staff etc.
ASD conducts certification, in consultation with the IRAP Assessor and the service provider.
ASD’s Cloud Computing Security Considerations paper on the ASD unclassified website. http://www.asd.gov.au/infosec/cloudsecurity.htm
The Cloud Computing Security Considerations document should assist you to perform a risk assessment to determine the viability of using cloud computing services.
Most importantly, the document provides a list of thought provoking questions to help agencies understand the risks that need to be considered with using cloud computing.
Obtaining an IRAP Assessment:
IRAP Assessors will conduct an independent assessment as described in the conducting audits chapter of the ISM. The current security framework, as laid out in the ISM, is the one that ASD uses for a cloud service to be included on the CCSL.
ASD has been conducting these activities on behalf of the Australian Government over the past year, with a hope to highlight the security posture of the cloud service so government can make an informed risk based decision.
An IRAP Assessment will include:
Scoping: which in the cloud instance ASD approves to ensure it encapsulates the scope we would expect to see. Scoping is important because it sets the boundaries of the assessment.
- Stage One – IRAP Assessment. This consists of a static document review, familiarisation with the system being assessed and highlighting key areas of concern or things which could impact the timeframes of the assessment. In some cases a report is delivered at the end of Stage One – especially in cases where it is obvious that certification will never be achieved. This can sometimes look like a gap assessment. The provider may take time after the Stage One assessment to conduct remediation activities.
- Stage Two – IRAP Assessment. This includes an onsite inspection, interview with operations and key staff. It will seek evidence to support the documentation and ensure controls are implemented and operating effectively. This is the usual stage were the IRAP Assessor will deliver the IRAP report.
- Certification. In some cases this is the ITSA in a government agency. For multi-government used gateways, and now cloud services, ASD is the Certification Authority. The main goal of certification is to provide transparency around the security posture of the system or service assessed. It focuses the customer/agency on the areas of non-compliance and, sometimes more importantly, around the shared responsibilities the customer are signing up to by using the service. An example of this may be around training staff in security threats. The provider can be deemed fully compliant (usually the Assessor will have seen evidence through training content) yet the client/agency still has a responsibility to train their staff to ensure the overall risk has been mitigated.
- Certification can involve different elements based on the findings of the IRAP Assessor. The Certification Authority can use any information, even that outside the IRAP report, like previous IRAP Assessments which gives a great insight into the security of the system over time. We can look at cyber incidents or threats which have not been publicly disclosed and suggest mitigations. All Certifications are different, but in all cases the certification report should give the Accreditation Authority all the information needed to make an informed Accreditation decision (besides the agencies appetite for risk and business drivers)
The CCSL < http://www.asd.gov.au/infosec/irap/certified_clouds.htm > details those services that have been assessed and certified (not just the company) and to what classification level.
There is a requirement for service providers to re-assess and certify every 24 months. There are instances when re-certification will be triggered inside the certification period, which could include:
- Significant changes in information security policies and procedures
- Detection of new or emerging threats to the cloud service
- The discovery that controls are not operating effectively
- Major system architectural changes
- Changes to the cloud service or customer risk profile.
For more information regarding the assessments and what documentation is required, please see http://www.asd.gov.au/infosec/irap/index.htm