Broadly, the risk management framework used by the ISM has six steps:Īs always, additional compensating controls can be implemented on a risk-managed basis by individual agencies prior to agency authorization and subsequent use of these cloud services.
Within this risk management framework, the identification of risks and selection of security controls can be undertaken using various risk management standards, such as International Organization for Standardization (ISO) 31000:2018, Risk management - Guidelines. The risk management framework used by the ISM draws from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37 Rev.
MICROSOFT OFFICE 365 SUPPORT AUSTRALIA MANUAL
The IRAP assessments found that the Microsoft system architecture is based on sound security principles, and that the applicable Australian Government Information Security Manual (ISM) controls are in place and fully effective within our assessed services. Moreover, these assessments were conducted under the new, post CCSL Cloud Security Guidance as outlined in the Anatomy of a Cloud Assessment and Authorisation guidance from the ACSC.įor each assessment, Microsoft engaged an ACSC-accredited IRAP assessor who examined the security controls and processes used by Microsoft's IT operations team, physical datacenters, intrusion detection, cryptography, cross-domain and network security, access control, and information security risk management of in-scope services. These assessments added more services assessed to the classification level of PROTECTED. In December 2020, Microsoft completed two incremental Azure & Dynamics and Office 365 assessments. The reports contain both an assessment of Microsoft as a Cloud Service Provider (CSP) and other services that are incremental to the 2019 reports across Azure, Dynamics, and Office 365. These reports utilized the new guidance post the cessation of the Certified Cloud Services List (CCSL).
In December 2020, Microsoft released two incremental IRAP assessments for Azure and Office 365.In September 2019, Microsoft's updated IRAP assessment scope expanded to include 113 services at the PROTECTED classification.Microsoft is the first and only public cloud provider to achieve this level of certification. In April 2018, the ACSC announced the certification of Azure and Office 365 at the PROTECTED classification.In June 2017, ASD announced the recertification of Microsoft Azure and Office 365 for a greatly expanded set of services.In April 2015, the ASD announced the CCSL certification of both Azure and Office 365, and in November 2015, of Dynamics 365.In early 2015, Office 365 became the first cloud productivity service to complete this assessment.These two datacenters give Australian customers control over where their customer data is stored, while also providing enhanced data durability in there are disasters through backups at both locations. In 2014, Azure was launched as the first IRAP-assessed cloud service in Australia, hosted from datacenters in Melbourne and Sydney.
The IRAP goal is to maximize the security of Australian federal, state, and local government data by focusing on the information and communications technology infrastructure that stores, processes, and communicates it. IRAP provides a comprehensive process for the independent assessment of a system's security against Australian government policies and guidelines. Endorsed IRAP assessors can provide an independent assessment of ICT security, suggest mitigations and highlight residual risks. IRAP provides the framework to endorse individuals from the private and public sectors to provide cyber security assessment services to the Australian government. The Information Security Registered Assessors Program (IRAP) is governed and administered by the Australian Cyber Security Centre (ACSC).
The Information Security Registered Assessor Program (IRAP) provides a comprehensive process for the independent assessment of a system's security against Australian government policies and guidelines.
0 kommentar(er)
