The Australian Cyber Security Centre (ACSC) is enhancing the Information Security Registered Assessor Program (IRAP) to strengthen the cybersecurity assessment framework. The agency has released an updated IRAP policy and a new IRAP Assessor Training module following an independent review of the program.
The enhanced program has been designed to help develop the capabilities of industry partners, increase the number of cybersecurity assessors and bolster national cybersecurity efforts. It has been developed in consultation with government and industry representatives.
Changes include increases to the standard and consistency of cybersecurity advice provided by IRAP assessors by requiring these assessors to maintain and demonstrate ICT security knowledge.
Other changes include a minimum requirement for IRAP assessors to maintain a Negative Vetting Level 1 Security Clearance, and enhanced governance arrangements in place for assuring IRAP assessors are performing their roles as independent third parties.
The ACSC has also established a revised five-day IRAP training course, which covers both IRAP and Information Security Manual fundamentals. The new policy will apply to all assessments initiated going forward, and current IRAP assessors will have 24 months to meet new requirements outlined in the policy.
Pushing better government cybersecurity measures
In October 2020, OpenGov Asia reported that the federal government of Australia was establishing a new industry advisory committee to help guide the implementation of its Cyber Security Strategy 2020. The Industry Advisory Committee will provide advice to the government through regular meetings and report directly to the Minister for Home Affairs.
The 2020 Cyber Security Strategy is firmly focused on protecting families and businesses, especially as they spend more time online, both at home and in their workplaces, the Minister for Home Affairs said. The Committee brings a wealth of experience from both the public and private sector that will build on the success of the Industry Advisory Panel and ensure the industry will continue playing a vital formative role in shaping the delivery of actions set out in the Strategy.
The work of the committee will be essential in light of the key role connected technologies are expected to play in Australia’s post-COVID recovery. While daily life is increasingly connected by digital technologies, more abundant and better-resourced cybercriminals and cyber-activists and increasingly sophisticated and emboldened state actors mean Australia is quite literally under constant cyberattack.
More recently, the Australian and US armies signed a joint agreement to develop a virtual cyber training range for real-world defensive missions.
The two nations have signed a Cyber Training Capabilities Project Arrangement, a bilateral, international agreement that will enable US Cyber Command to incorporate Australian Defence Force feedback into USCYBERCOM’s simulated training domain PCTE (the Persistent Cyber Training Environment).
The PCTE, which delivered its first production version this year, is designed as a distributed, secure, reconfigurable environment for conducting independent cyber operations training activities.
The long-term goal is to provide the US Department of Defense cyberspace workforce the capability to build and conduct full-spectrum, combined and joint cyberspace training, exercises, certification and mission rehearsal in a training environment.
The Australian Army Maj. Gen., Head of Information Warfare at the ADF stated that the agreement marks the first cyber-only arrangement established between the US Army and an allied nation. He noted that Australia and the US have a strong history of working together to develop their cyber capabilities and train people to fight and win in cyberspace. This arrangement will be an important part of the ADF’s training program, and the Australian government looks forward to the mutual benefits it will bring.