In a significant milestone, One Click Group (ASX: 1CG) has successfully completed its Information Security Registered Assessors Program (IRAP) assessment for its tax Software as a Service (SaaS) offering One Click Life. This achievement underscores the company’s unwavering commitment to ensuring the utmost security for its operations. But what exactly is IRAP, and what does this accomplishment mean for One Click Group?
Understanding IRAP
IRAP, short for the Information Security Registered Assessors Program, is a vital initiative that empowers Australian Government customers to validate an organization’s adherence to and maintenance of appropriate controls in line with the Australian Government Information Security Manual (ISM). The ISM, crafted by the Australian Cyber Security Centre (ACSC), sets out the essential guidelines and standards for information security within the government.
IRAP Assessment Process
During the IRAP assessment, certified IRAP assessors meticulously scrutinize an organization’s ISM controls across various domains. These domains encompass critical aspects such as intrusion detection, encryption processes, network security, access controls, and information security risk management. The ultimate goal is to determine whether the SaaS complies with the stringent ISM requirements set forth by the Australian government.
One Click Group’s Achievement
In the case of One Click Group, the IRAP assessors conducted a thorough evaluation and came to a noteworthy conclusion. They found that One Click Life met the standards required by the Australian government ISM, achieving compliance up to the “Sensitive” level. This signifies that One Click Group has established robust security controls and practices, ensuring the protection of sensitive information via its Australian Taxation Office (ATO) registered Cloud Software One Click Life.
Continual Commitment
One Click Group’s dedication to security doesn’t stop here. In conjunction with their successful IRAP assessment, the company is committed to ongoing improvement. One Click Group also conducts an Annual Operational Security Framework assessment by the Australian Taxation Office (ATO), for both its ATO Cloud Software’s One Click Life and One Click Verify further bolstering their security measures. Looking ahead, the company has set its sights on obtaining an even higher level of security clearance, aiming for higher in their next assessment, which is slated for 24 months from now.
In summary, One Click Group’s successful completion of the IRAP assessment underscores their unwavering commitment to providing top-tier security for their Software as a Service offerings. This achievement not only assures their Australian Government customers but also demonstrates their dedication to staying at the forefront of information security practices.
To Whom Does the IRAP Apply?
In the ever-evolving digital landscape, cybersecurity and data protection have become paramount concerns for governments worldwide. As technology advances, so do the methods and tools that threaten the security and privacy of sensitive information. In light of these challenges, governments are taking proactive measures to safeguard their data, and one such initiative is the Information Security Registered Assessors Program (IRAP). In this comprehensive article, we will delve deep into the world of IRAP and explore to whom it applies.
What is IRAP?
Before we dive into the specifics, let’s begin by understanding what IRAP is. IRAP, short for the Information Security Registered Assessors Program, is an Australian government initiative designed to enhance the security posture of government agencies when it comes to handling sensitive and classified information.
The primary goal of IRAP is to ensure that government agencies are equipped to manage and protect their data effectively. It achieves this by implementing rigorous security standards and assessments, thereby reducing the risk of data breaches and cyberattacks.
IRAP and Australian Government Agencies
Now, let’s explore the scope of IRAP and its application among Australian government agencies. IRAP applies to all Australian federal, state, and local government agencies that utilize cloud services as part of their operations. This is a crucial aspect, given the increasing reliance on cloud technology in the public sector.
The adoption of cloud services has brought about numerous benefits, such as scalability, cost-efficiency, and accessibility. However, it has also introduced new security challenges, which IRAP aims to address. Therefore, if your organization is a government agency operating at any level in Australia and uses cloud services, IRAP compliance is not merely an option; it’s a necessity.
The Role of IRAP Assessments
To ensure compliance with IRAP, government agencies must undergo rigorous assessments conducted by accredited IRAP assessors. These assessments are comprehensive evaluations of an agency’s information security measures, policies, and procedures. The goal is to identify vulnerabilities and weaknesses, allowing agencies to take corrective actions to bolster their cybersecurity defenses.
IRAP assessments cover various aspects of information security, including but not limited to:
1. Risk Management
IRAP assessments delve deep into an agency’s risk management practices. This involves identifying potential threats, assessing their likelihood and impact, and implementing measures to mitigate those risks effectively.
2. Access Control
Controlling access to sensitive information is paramount. IRAP assessments scrutinize an agency’s access control mechanisms to ensure that only authorized personnel can access classified data.
3. Data Protection
Protecting data from unauthorized access or disclosure is a top priority. IRAP assessments evaluate an agency’s data protection measures, including encryption and secure storage.
4. Incident Response
In the event of a security incident, it’s crucial to have a well-defined incident response plan in place. IRAP assessments assess the effectiveness of an agency’s incident response procedures.
5. Security Awareness
Human error is a common cause of security breaches. IRAP assessments gauge the level of security awareness and training among an agency’s staff to minimize the risk of internal threats.
IRAP Beyond Australia: New Zealand’s Connection
While IRAP is primarily associated with Australian government agencies, its influence extends beyond Australia’s borders. New Zealand government agencies, in particular, require compliance with a standard similar to the Australian Government Information Security Manual (ISM). Since IRAP assessments align with ISM guidelines, New Zealand government agencies may also find them applicable.
This cross-applicability ensures that government agencies in both Australia and New Zealand can benefit from the enhanced security measures and best practices outlined in IRAP assessments.
In conclusion, the Information Security Registered Assessors Program (IRAP) plays a pivotal role in enhancing the cybersecurity posture of government agencies, primarily in Australia but with potential applicability to New Zealand as well. It is a critical initiative that helps government bodies safeguard sensitive information in an era of digital transformation and heightened cybersecurity threats.
Certainly, in support of Australian government customers, One Click Group provides a package of security guidance and documentation to facilitate a better understanding of security and compliance when utilizing their services. The following IRAP documents are available to you upon request via email at [email protected]:
The Compliance Letter: This document serves as a formal acknowledgment and assurance of compliance with relevant security and compliance standards. It outlines the commitment of One Click Group to uphold the necessary security measures and protocols required by Australian government agencies.
The Control Implementation Summary: This document provides a comprehensive overview of the security controls and measures implemented by One Click Group. It details the steps taken to safeguard data and infrastructure, ensuring that the highest security standards are met.
IRAP Stage 2 Report: The IRAP Stage 2 Report is a critical document that delves into the specifics of the Information Security Registered Assessors Program (IRAP) assessment. It outlines the findings and assessments made during the evaluation of One Click Group’s security measures. This report offers valuable insights into the security posture of One Click Group’s services, highlighting areas of strength and areas that may require improvement to align with government security standards.
These documents are essential resources for Australian government agencies and organizations seeking to assess the security and compliance aspects of One Click Group’s services. They demonstrate One Click Group’s commitment to transparency and adherence to the highest security standards, ensuring that government data remains protected and secure.
For further information or to request these documents, please contact [email protected], and their dedicated team will assist you in accessing the necessary documentation to support your security and compliance needs.
IRAP (Information Security Registered Assessors Program) assessors are highly trained and accredited professionals who play a crucial role in evaluating the information security measures and practices of organizations, primarily within the Australian government context. These assessors are authorized by the Australian Cyber Security Centre (ACSC) to conduct security assessments and provide expert guidance on cybersecurity matters.
Here are key points about IRAP assessors:
Accreditation: IRAP assessors undergo rigorous training and certification processes to become accredited assessors. This accreditation is granted by the ACSC, which is part of the Australian Signals Directorate (ASD). It ensures that assessors have the necessary knowledge, skills, and expertise to assess the security posture of organizations effectively.
Independence: IRAP assessors are typically independent contractors or employees of authorized assessment organizations. This independence is crucial to maintain objectivity and impartiality during assessments.
Roles and Responsibilities: IRAP assessors are responsible for conducting security assessments of organizations, including government agencies and private sector entities, that handle sensitive and classified information. Their primary responsibilities include evaluating an organization’s compliance with security standards, identifying vulnerabilities and weaknesses, and providing recommendations for improving security measures.
Assessment Phases: IRAP assessments typically consist of two stages: Stage 1 and Stage 2. During Stage 1, assessors review an organization’s documentation and security policies to ensure they align with government security standards. In Stage 2, assessors conduct on-site assessments, testing security controls and practices in a real-world context.
Reporting: After completing the assessment, IRAP assessors generate detailed reports outlining their findings, recommendations, and an overall assessment of the organization’s security posture. These reports are valuable for organizations to enhance their security measures and achieve compliance.
Ongoing Engagement: IRAP assessors often maintain ongoing relationships with organizations to provide guidance and support for implementing security improvements and ensuring continued compliance.
Government Mandate: IRAP assessments are mandated for Australian government agencies that use cloud services to ensure data security and compliance with government standards. Assessors help agencies navigate the complex landscape of cloud security.
In summary, IRAP assessors are skilled professionals authorized by the Australian Cyber Security Centre to assess and enhance the information security of organizations, particularly those in the Australian government sector. Their expertise is crucial for maintaining the integrity and security of sensitive government information in an era of evolving cyber threats.
ISM stands for the “Information Security Manual.” It is a comprehensive document that outlines the information security guidelines, policies, and best practices for the Australian government. The ISM is a critical component of the Australian government’s approach to cybersecurity and data protection.
Key points about the Information Security Manual (ISM) include:
Government Guidance: The ISM is developed and maintained by the Australian Cyber Security Centre (ACSC), which is part of the Australian Signals Directorate (ASD). It serves as the primary source of guidance for government agencies and organizations on matters related to information security.
Security Standards: The ISM provides a set of security standards and controls that are designed to protect government information and systems from various threats, including cyberattacks, data breaches, and espionage. It covers a wide range of security topics, including access control, encryption, network security, incident response, and more.
Risk Management: One of the central principles of the ISM is risk management. It emphasizes the importance of identifying and assessing risks to government information and assets and implementing appropriate security measures to mitigate those risks.
Classification Framework: The ISM includes a classification framework that categorizes government information into different levels of sensitivity. This classification helps agencies determine the appropriate security measures to apply to different types of information.
Compliance Requirements: Government agencies and organizations that handle classified or sensitive information are required to comply with the security controls and guidelines outlined in the ISM. Compliance with the ISM is essential for safeguarding government data and maintaining national security.
Updates and Revisions: The ISM is regularly updated to reflect evolving cybersecurity threats and technologies. This ensures that government security practices remain current and effective in addressing emerging challenges.
Applicability: While the ISM is primarily intended for government agencies, it is also a valuable resource for private sector organizations, especially those that work closely with the government or handle government data. Adhering to ISM guidelines can enhance the overall cybersecurity posture of such organizations.
In summary, the Information Security Manual (ISM) is a comprehensive document that provides essential guidance and security standards for the protection of government information and systems in Australia. It serves as a vital resource for government agencies and organizations seeking to strengthen their cybersecurity practices and ensure the confidentiality, integrity, and availability of sensitive data.
Yes, One Click Group meets the requirements of the ISM. One Click Group has successfully completed their IRAP (Information Security Registered Assessors Program) assessment for its Cloud Software and has been assessed as meeting the requirements of “Official: Sensitive” classification. This indicates that One Click Group has demonstrated a high level of compliance with the security standards and controls outlined in the ISM, specifically for handling sensitive government information as an authorised Australian Taxation Office (ATO) digital wholesale service.
The completion of an IRAP assessment and meeting the requirements of “Official: Sensitive” classification signifies that One Click Group Cloud Software has implemented robust information security measures, policies, and procedures to safeguard government data and systems. This achievement reflects their commitment to maintaining a strong security posture and ensuring the protection of sensitive information in accordance with government standards.
Government agencies and organizations can have confidence in One Click Group’s ability to develop Software as a Service that can handle secure sensitive data, knowing that they have undergone a rigorous assessment process and have been found to be in compliance with the ISM requirements. This commitment to security aligns with the high standards expected when working with government entities and sensitive information.
The ACSC Essential Eight cybersecurity strategies are important guidelines that apply to organizations like One Click Group, especially when they have undergone an IRAP (Information Security Registered Assessors Program) assessment. Here’s how these strategies apply to One Click Life and their compliance with IRAP:
Application Whitelisting: One Click Group can implement application whitelisting to control which software is allowed to run on their systems. This helps ensure that only trusted and authorized applications are executed, reducing the risk of malware infiltration. Compliance with this strategy demonstrates a commitment to strong security practices, which can be beneficial in an IRAP assessment.
Patch Applications and Operating Systems: Regularly patching both applications and operating systems is essential for addressing known vulnerabilities. By staying up to date with security patches, One Click Group can reduce the risk of exploitation by cyber threats. This practice is likely to align with IRAP requirements for maintaining secure systems.
Configure Microsoft Office Macro Settings: Configuring Microsoft Office macro settings to block macros from the internet and allowing them only for trusted sources enhances protection against macro-based attacks. Compliance with this strategy shows a proactive approach to securing office applications, which is relevant to IRAP assessments.
User Application Hardening: Configuring web browsers and email clients to block or prompt for the execution of certain web content enhances security. This measure helps protect against malicious content and aligns with the goal of maintaining secure user environments, which is relevant in IRAP assessments.
Restrict Administrative Privileges: Limiting administrative privileges helps prevent unauthorized access to critical systems. By following this strategy, One Click Group can demonstrate a commitment to ensuring that only authorized personnel have elevated access, a consideration in IRAP assessments.
Multi-Factor Authentication (MFA): Enabling MFA adds an extra layer of security to user accounts. Implementing MFA enhances access control and reduces the risk of unauthorized access to sensitive systems and data, an important aspect of IRAP compliance.
Daily Backups: Regularly backing up critical data and systems is fundamental for data recovery and business continuity. In an IRAP assessment, the ability to demonstrate effective data backup and recovery practices can contribute positively to the assessment process.
In summary, the ACSC Essential Eight strategies provide a strong foundation for enhancing cybersecurity practices at One Click Group. Compliance with these strategies not only helps protect against common cyber threats but also aligns with the security and compliance requirements typically assessed during an IRAP evaluation. By implementing these strategies, One Click Group can strengthen its security posture and demonstrate a commitment to safeguarding sensitive information and systems, which is essential for organizations working with government agencies and data.
The Privacy Principles, often referred to as the Australian Privacy Principles (APPs), are a set of guidelines and regulations designed to govern the handling of personal information by Australian government agencies and private sector organizations. These principles are outlined in the Privacy Act 1988 (Cth) and play a significant role in how they affect IRAP (Information Security Registered Assessors Program) assessments:
Data Protection and Handling: The Privacy Principles emphasize the importance of protecting individuals’ personal information. This includes ensuring that sensitive data is handled securely and protected from unauthorized access, disclosure, or breaches. In the context of IRAP, government agencies and organizations seeking IRAP compliance must demonstrate their commitment to safeguarding personal information, which is often a component of the assessment.
Consent and Transparency: The Privacy Principles require organizations to obtain informed consent from individuals before collecting their personal information. Transparency in data handling practices is also essential. In the context of IRAP, organizations must ensure that they have clear and documented consent mechanisms for any personal data collected during assessments. Transparency about how such data is used is crucial.
Data Minimization: The principles encourage organizations to collect only the personal information necessary for a specific purpose. This aligns with good data security practices within an IRAP assessment. Collecting and retaining only essential data helps minimize the risk associated with handling sensitive information.
Security Measures: While the Privacy Principles primarily focus on the privacy aspects of data handling, many security measures recommended in IRAP assessments overlap with data protection requirements. Implementing strong security controls, access restrictions, encryption, and incident response plans, as required by IRAP, also contributes to meeting privacy-related obligations.
Breach Notification: One of the Privacy Principles requires organizations to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) of data breaches that are likely to result in harm. Similarly, in an IRAP assessment, organizations are evaluated on their ability to detect and respond to security incidents. Effective incident response aligns with both IRAP and privacy breach notification requirements.
Third-Party Vendors: Organizations often engage third-party vendors in IRAP assessments. It is crucial to ensure that these vendors also comply with the Privacy Principles when handling personal information. Organizations are responsible for the actions of their vendors in this regard.
Data Access and Correction: The Privacy Principles give individuals the right to access and correct their personal information. In an IRAP context, organizations should be prepared to demonstrate that they have appropriate mechanisms in place to handle such requests while maintaining the security of the information.
In summary, the Privacy Principles significantly affect IRAP assessments by highlighting the importance of data privacy and security in the handling of personal information. Organizations undergoing IRAP evaluations must ensure that their security measures not only meet IRAP requirements but also align with privacy obligations outlined in the Privacy Principles. This dual focus on security and privacy is crucial for organizations that handle sensitive information in collaboration with government agencies.
No, the Information Security Registered Assessors Program (IRAP) does not replace the One Click Group Australian Taxation Office (ATO) “Digital Service Provider Operational Security Framework.” These are two distinct frameworks with different purposes and applications:
IRAP (Information Security Registered Assessors Program): IRAP is a program initiated by the Australian Cyber Security Centre (ACSC) to assess and certify the security posture of organizations, especially those handling government data, including sensitive and classified information. IRAP assessments are conducted by accredited assessors to ensure organizations meet specific security standards and controls. IRAP is not specific to the ATO and applies to various government and non-government entities.
One Click Group ATO “Digital Service Provider Operational Security Framework”: This framework is specific to One Click Group’s operations as a digital service provider to the ATO. It defines the security requirements and standards that One Click Group must adhere to when providing digital services to the ATO. This framework is tailored to the ATO’s specific operational and security needs.
These frameworks serve different purposes:
IRAP focuses on evaluating the overall information security practices of organizations, ensuring they meet government security standards. It applies to various entities handling sensitive data, not limited to the ATO.
One Click Group’s ATO Operational Security Framework is specific to One Click Group’s role as a digital service provider to the ATO. It outlines the security measures required for their specific interactions with the ATO.
In summary, IRAP and One Click Group’s ATO Operational Security Framework are distinct and complementary. IRAP assesses the broader information security practices of organizations, while One Click Group’s framework is designed to ensure the secure provision of digital services to the ATO. Both are important in their respective contexts and should be addressed separately to meet specific regulatory and security requirements.