Home Affairs digitises 'authority to operate' process for ICT systems

Home Affairs has digitised the process it uses to ensure relevant security controls are applied and kept up to date to protect information handled by its hundreds of ICT systems.

The process is critical to enabling the department to meet its protective security policy framework (PSPF) and Essential Eight obligations.

Director of cyber risk management Alex Reale told the ServiceNow World Forum Melbourne 2024 that when she arrived at Home Affairs early last year, the department had “already invested" in ServiceNow for the purpose of digitising system authorisation.

Under the PSPF, a CISO or similar must complete an ‘authority to operate’ process for each relevant technology system, “approving the system to operate based on its associated security risks”.

However, Reale found the department was trying to replicate its existing process within ServiceNow.

That existing process was run on a mix of spreadsheets, Word documents, emails and local storage on security analysts’ devices, and assessment times could be lengthy.

“The review of a system to ensure the security controls were in place could take anywhere up to 12 weeks, and in an environment the size of the department’s, we’re talking hundreds of systems that require authorisation at any given time,” Reale said.

Upon starting with the department, Reale backed the move to digitise the 'authority to operate' process using ServiceNow but departed from the idea of simply replicating the existing method.

That change enabled the department to progress the project through to completion.

It is now using the ServiceNow Continuous Authorisation and Monitoring module to manage the process, "with minimal configuration required", according to a slide shown at the conference.

“Now we’re at a point where we can demonstrate alignment with the PSPF and … compliance with the requirements of the Essential Eight and with the ACSC’s Information Security Manual (ISM),” Reale said.

“We can define our systems and identify the security requirements that we need to put around them through our security impact assessment, our workflows are better automated and we’re able to track where and when and what stage of an assessment any given system is at.”

“My staff [level] has [also] increased to around 25, given that we’re able to better demonstrate the demand for our services.”

Reale said that ServiceNow also acts as a much-needed single source of truth and basis for compliance reporting.

“It was so frustrating having to look through multiple spreadsheets, trackers, any other repository of information to try to develop a complete picture of the security posture of our organisation,” she said.

Six-step process

ServiceNow essentially codifies a six-step ‘authority to operate’ process within Home Affairs.

It establishes system ownership and responsibilities, “confirms what information assets are present within a system, and identifies what threats may apply to that system”.

Security controls are then selected.

“Within the federal government, most of us are working with the ACSC’s ISM controls so all of those control overlays are already there, pre-prepared for us within ServiceNow,” Reale said.

“We can also overlay that with the Essential Eight so that we can report specifically on compliance with Essential Eight controls within a given system. 

“We can also develop our own bespoke policy and process controls.”

The cyber risk management team then communicates to the system owner what controls they need to implement and demonstrate are in place.

“ServiceNow supports us to do that by once we’ve identified the list of controls that apply to that system, sending an attestation questionnaire to those stakeholders where they can report back in the tool and provide evidence as to where and when they have implemented the relevant security control,” she said.

Information provided through the implement and attest stage is returned to the cyber risk management team.

“We’re able to develop systemised test plans to ensure that those controls are in place and effective,” Reale said.

“Off the back of that, we can conduct our risk assessment. We’ve mapped our controls to a series of 12 risks which are all captured in the tool, and we can link the non-compliant controls through to our risks and then report on this posture for any given system, and then develop plans of action milestones for any outstanding treatments or actions that we need the system owner to take.”

The formal authorisation part of the process then kicks in.

“Authorising a system requires an acceptance of the residual security risks within the system, and ServiceNow supported us to do that through automating all those workflows and providing that summary of information up to our CISO so [they are] able to make a determination based on the assessment of risk as to whether the system is fit for operation in production,” Reale said.

“Once a system is authorised, we’re able to continuously monitor the status of those controls and conduct reporting on whatever metrics we like.”

In addition to streamlining the ‘authority to operate’ process, Reale noted that visual representations helped the department to communicate its cyber and system risk posture to executives.

“We’re [also] able to easily demonstrate compliance with relevant policies and frameworks,” she said.

“We’re able to ensure that our accountable authorities have information when and where they need it, and we’re able to capture and report on the Essential Eight and PSPF, as we’re required to do.”

Ry Crozier travelled to ServiceNow World Forum Melbourne 2024 as a guest of ServiceNow.

Home Affairs digitises 'authority to operate' process for ICT systems

Home Affairs digitises 'authority to operate' process for ICT systems

Home Affairs digitises 'authority to operate' process for ICT systems

Home Affairs digitises 'authority to operate' process for ICT systems

Home Affairs digitises 'authority to operate' process for ICT systems