Cyber and Security

Orica Enterprise Risk Intelligence Platform

Design, build, implement, host and support an enterprise risk intelligence tool to be used by Orica’s 13,000 employees globally to standardise risk management processes and provide management with the ability to quantify and compare risks across disparate business units.

riskDNA includes serialisation to ensure every risk is unique, extensive charting and reporting options including ability to create a mind map, complex algorithms and inbuilt calculators to mathematically quantify risks so they can be compared, extensive colour coding for quick visual identification of risks, ability for users to set individual language preferences, validation of IP  addresses for log in but still provide a guest option as well as extensive security in terms of roles and permissions

Specific activities included:

Business Analysis – developed specification for system requirements [coordinated management/user group research sessions, desktop research with regard to functionality of existing applications, identified ISO 31000 requirements], developed functional requirements, identified potential risks and identified regulatory constraints.

Technical Strategy – designed an innovative solution with enterprise architecture to manage risk in a comprehensive manner, developed an application build strategy so a core application could support multiple ‘bolt-on’ functionality improvements over time,  provided multi lingual capability for 13,000 global users, designed the Cloud architecture [with the consideration of global internet speeds, data sovereignty, system load both in terms of volume of users and processing requirements for key users, 24/7 support requirements, strategy for managing updates without taking the system down, backups and redundancy], enabled remote users to work offline and strategy for associated data management issues, developed a data migration strategy, to integrate data from multiple sources, design a mobile [iOS] application.

Developed Change Management Processes as risk management was now the responsibility of all employees.

Build and Test – developed prototype, build core application and then build additional modules [mind map, management dashboard, Permit to Work System, Job Safety Assessment tool etc], user interface design, build mobile [iOS] application, build Cloud hosting infrastructure.  Setup a two stage Cloud architecture for testing and production, build test databases, developed automated test scripts to run in a Cloud hosted device farm, regression test using an automated test tool and manual testing, develop user acceptance tests. Load testing, security testing and heuristic evaluation. Provided systems and processes for quality assurance as a large team of 20 was working in parallel on the application development.

Implementation – data migration, developed user manual and help, developed e-learning materials and online user competency certification, one on one training for key user group, intensive post implementation support, resolved warranty defects in a timely manner, provided appropriate system documentation, documented lessons learned.

Support - provided Level 1 support for both the application and Cloud infrastructure in a global 24/7 environment, provided SLA reporting, conducted routine application testing as well as back up and disaster recovery, continual work to refine both the application and the hosting environment to provide the Client with the best possible product.

Project Management – provided a single point of contact for project management, provided client with a fixed price quotation for all development and ensured the project was delivered on time and on budget to the agreed specification. Supported the client with material and statistics for board and management reports.

Cyber

Cyber Security - Due to confidentiality, much of the work completed in this area cannot be published on line.

Please contact SME Gateway for any information or background you may require.

Outline of capability

SME Gateway experience spans a wide range of the ICT security spectrum including:

• Security Architecture,
• Governance & Compliance,
• Risk Management,
• Audit,
• Application Security,
• Incident Response,
• Investigation, and
• Forensics. 

By combining the strengths of experienced consultants with the most up to date knowledge on security issues and developments our Memebers deliver industrial strength solutions. Our focus beyond the solution is to support continuous improvement practices to keep security front of mind and maintain secure organisation assets.

Security Architecture

We provide clients with expertise to successfully deliver enterprise-wide security architecture solutions. Our services also include verification and validation of ICT security environments such as data centres, cloud environments and third party service provider services. Our memebr Security Architects and Security Specialists develop appropriate enterprise solutions and countermeasures to protect against attacks including 0-Day. Our consultants have been involved in planning, developing and implementing Security Operation Centres (SOC) and Advanced Threat Attack Centres (ATAC) for the public and private sector.

The security architecture model employed is based on years of hands-on design, planning and delivery experience. It incorporates security components of ITIL, COBIT and ISO then combines these with Zachman, TOGAF and DGAF for a complete and comprehensive architecture. This approach has been applied to strengthen many public and private organisations.

Applications Security

SME Gateway partners have extensive consulting expertise in applications and their security. Our experience includes retro fitting security, redeveloping legacy applications, and the development and testing of green field applications. We review legacy application code such as COBOL, Fortran, Pascal and others detecting security risks and intrusion points.

Our people have wide-ranging global experience in developing models, frameworks, processes and procedures which, when deployed, ensure secure software and application coding practices are applied in the development lifecycle.

Governance & Compliance

Our organisations have a clear understanding and knowledge of the Australian Government Security Policies and Guidelines, in particular:

• OnSecure is the central online community portal for information security professionals working for government.
• The Protective Security Policy Framework (PSPF) is a policy which creates a more effective protective security framework by streamlining practices in order to achieve better security outcomes, increase efficiency, and eliminate duplication.
• The DSD Information Security Manual (ISM) is the standard which governs the security of government ICT systems. It complements the Protective Security Policy Framework.  Our systems meet the ISM requirements for Information Security Monitoring, Vulnerability Management, Cyber Security Incidents, and Detecting Cyber Security Incidents.

SME gateway Members are experienced in the IT Security industry and have developed a ground-breaking solution for Government Agencies needing a custom IT assurance systems. We have developed assurance solutions to meet the requirements of the Information Security Manual. The DSD document “Strategies to Mitigate Targeted Cyber Intrusions” provides additional information about implementing the 35 mitigation strategies, and is regularly updated by DSD.

Gateway Information Security services enable customers to identify and maintain their required security posture or achieve their required security objectives through using the following frameworks as a basis for its security service framework:

• Strategies to Mitigate Targeted Cyber Intrusions 11/2011, 21 July 2011
• ISO/IEC 31000 previously AS/NZS 4360 Risk Management; ; AS/NZS 7799 - Information Security Management – ; AS/NZS Handbook 231 – Information Risk Management;; AS/NZS 27001 Information Security
• ISO/IEC 17799 – Code of Practice for Information Security Management; ISO/IEC 13335 parts 1 to 5; ; S0/IEC 15408 Common Criteria; ; ISO/IEC 21827 Information Technology - Systems Security Engineering - Capability Maturity Model;
• Australian Information Security Manual (ISM) Revised August 2011
• Protective Security Policy Framework (PSPF) CCIMB-2002-07-001
• Institute for Security and Open Methodologies OSSTMM 3.0..

Privacy Act Amendments of Australia-- Act No. 119 of 1988 as amended, ; National Privacy Principle (NPP) 4.1 ; National Privacy Principle (NPP) 6

Risk Management

There are many risks stemming from organisational dependence on ICT systems. Our consultants have specialist domain knowledge used in the identification, assessment & mitigation of these types of security risks. We can assist with ICT security risk management services for individual projects through to enterprise level.

Audit – Managed Vulnerability

Managed Vulnerability Assessment Service (MVAS) is a security assessment that approaches vulnerability assessment from a hacker’s perspective.  Unlike virus scanning systems, which can only react once malware has already made it into the network, MVAS is proactive in helping close the doors that let hackers in in the first place.  MVAS identifies all vulnerabilities and breaches in the computer network, reports the results in risk order and advises on how to close them.  MVAS is automatically updated by security professionals who generally report on 3-4 new vulnerabilities per day.  MVAS also decreases organisations labour costs as the technology can replace multiple network engineers generally required to monitor a network’s security.  Our automated scanning server allows vulnerability assessments to be performed as often as makes sense for that corporation, and inexpensively. 

IT assessment services use a number of sources to identify common threat assessment information, that include CVE, vendor software reports, general reported problems. The major set is published by Mitre Corporation on Common Vulnerability and Exposure (CVE). CVE is co-sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This data aligns to the vulnerabilities identified by AusCert whcih identify vulnerabilities daily, by the time they are published they are already included in the daily scanning schedule.

We add value by being poised to implement new scan routines within one day of new threats being identified.  This offers the shortest practicable window between the identification of a threat and notifying customers of their exposure status

Incident Response

The incident response services in CAI can be initiated by clients to mitigate incidents such as malicious code outbreaks, network intrusions including targeted and denial of service attacks. Our specialist team includes personnel with national security expertise who continue to provide advice to the Department of Defence in relation to incident response for state sponsored targeted intrusions.

Investigation and Forensics

We provide services and support for pure investigation and forensic activity. Our people will discretely undertake ICT misuse, fraud & unauthorised disclosure investigations.  Our memebers consultants have provided investigation and forensic services in support of the Australian Federal Police search warrants and Australian Public Service internal investigations. Our capabilities are often utilised to provide expert opinions in relations to allegations of ICT misuse and fraud.

Penetration Testing

Conduct Penetration Testing of internal management systems.

Provide infrastructure architecture design review and security compliance analysis.

Penetration Test plans agreed and signed.

Testing conducted within rules of engagement.

Test findings reported and vulnerabilities advised with appropriate mitigations and or solutions.

Architecture review report and compliance requirements delivered with consultation and guidance.

• Department of Finance and Deregulation,
• Department of Immigration and Citizenship (DIAC),
• Department of Human Services (DHS),
• Australian Sports Commission,
• Australian Institute of Health and Welfare,
• Australian Electoral Commission,
• Australian Taxation Office,
•  Attorney General’s Department,
• ComSuper,
• Medicare Australia,
• Department of Broadband, Communications, and the Digital Economy,
• NSW Attorney Generals Department,
• Australian Agency for International Development (AusAID),
• NSW Department of Primary Industry,
• Australian Sports Anti Doping Authority,
• Family and Community Services and Indigenous Affairs,
• Department of Immigration and Citizenship,
• Department of Communications, Information Technology and the Arts,
• NSW Department of Environment and Climate Change,
• ATO,
• Security Incident Response,
• System Access Approval

Deployment and Configuration of SIEM OE tool:-

Security incidents responded to, investigated, and reports delivered.

Controls implemented and Security Risk Management Plans updated.

Review of access requests and approval to systems recommended.

Configuration of alert rules as per contractual requirements.

Routine reports developed and delivered.

Security Infrastruture

Project

As part of the EQuIP (Evaluation and Quality Improvement Programme) review cycle established by ACHS (Australian Council of Healthcare Standards) our Consultants were commissioned to review the existing Security Infrastructure for the Hospital's main sites and conduct a risk assessment to establish an improvement strategy.

Objectives

A number of clear objectives were established and agreed at the outset. These were captured in a Project Document which forms the basis of all JBS projects. In summary these were:

• To review the existing technical and operational infrastructure across the main sites;
• Identify any risks the Hospital faced and potential impact on the ability to deliver an effective service;
• Identify any future projects or changes which may affect a future strategy;
• Define a strategy for improvement and make recommendations to address any immediate issues.

Methodology

The project followed 4 key stages:

• Key players in the delivery of clinical and non-clinical services were identified and interviewed to assess their views and capture their experiences;
• The facilities were assessed to determine the operational objectives and capability of the infrastructure to meet these objectives;
•  A number of key strategic objectives and immediate issues were identified and an outline plan agreed with Hospital staff;
•  A detailed plan was developed for presentation to the Board.

Outcomes

As a result of the review the overall Strategy has been accepted and a number of the recommendations are in progress. The subsequent EQuIP review proved very favourable and supported the overall strategic approach

Security Related Projects Summary

SECURITY RELATED PROJECTS

The following summary notes identify a range of projects that have been completed by SME Gateway comapnies.  Specifics information on these projects is available on request: 

Conduct a review of Diplomatic Security Branch in DFAT to assess current and future Security Equipment held at 92 overseas posts and the associated specialist Armoured Vehicle Fleet. This included a global market technology review and forecasting across a 10 year budget spend for rolling replacements.

DMO – Conducted a cultural change readiness assessment and supporting change strategy and training program.

Defence Security Authority – Developed a process to manage changes and control configurations linking policy and operational documentation in the electronic Defence Security Manual (eDSM).

AGD – Contracted within the portfolio to implement a range of security projects post the 11 September 2001 terrorist attacks. These included implementing Australia’s inaugural Air Security Officer (ASO) program on board Australian domestic and international airlines, and upgrading counter terrorist response arrangements at all major Australian airports. We oversighted the development and implementation of the ASO program from conception, including strategies, structure, operational procedures, responses and reporting mechanisms, and supporting intelligence requirements. We also consulted internationally to other Asian countries seeking to develop their own enhanced counter-terrorist capabilities. 

AGD – Provided subject matter expertise to the National Counter-Terrorism Operational Response Sub-Committee’s development of cross-jurisdictional counter-terrorist training programs, including the tactical response, command and control, intelligence, negotiations, bomb response and investigations capabilities.