PSPF Direction on Technology Risk Management

In July, Home Affairs issued a Direction under the Protective Security Policy Framework (PSPF) requiring Non-Corporate-Commonwealth Entities to conduct a stocktake and develop a Technology Risk Management Plan for all their internet-connected assets or services.

This includes those services managed on behalf of the entity by third parties.

The Direction comes at a time when Australia has come under increasing attack from state-based cyber groups like APT 40 targeting corporate and government networks through their internet-facing, or “edge” services.

The stocktake should at a minimum include a detailed scan of the entity’s “Attack Surface” – every domain and public IP address sitting between the agencies data and the internet.

The stocktake needs to capture the manufacturer, supplier and provider, plus the outsourced manager where applicable.

IT Teams normally have a clear idea of their internally and outsourced managed services like cloud tenancies, gateways and firewalls but may not have visibility of the “shadow IT” services that are operated on behalf of the agency but outside of the IT organisations remit.

The rationale behind the stocktake is that you can’t defend what you don’t know about. Understanding, for example, the manufacturer of every one of your edge services helps you determine which vulnerability alerts you need to act on.

The Technology Risk Management plan for each service identified in the stocktake needs to be in accordance with PSPF Policy 11, in line with the Robust ICT system lifecycle stages:

1. Define: Start by clearly stating how the system will interact with the information it stores, communicates or processes, based on the impact of loss or compromise.
2. Design: Based on the above risks and your entity’s risk appetite, determine what security controls should be applied.
3. Implement: Once they have been accepted by the CISO or equivalent as appropriate and sufficient, apply and document the above selected controls.
4. Assess: Validate that the controls have been implemented and are working as intended.
5. Authorise: The CISO or nominated responsible person completes the formal process, known as an “AtO” (Authority to Operate), of approving the system to operate, based its associated security risks.
6. Monitor: Not just actively monitoring event logs for signs of threat activity, but also regularly reviewing those security controls to ensure they remain relevant.
7. Decommission: When a system is no longer required, dispose of the system through destruction, repurposing or disposing in an appropriately secure manner.

The Technology Risk Management Plan must also include controls to mitigate security vulnerabilities and Foreign Ownership, Control or Influence (FOCI) risks.

Put together, the stocktake and Risk Management Plan requirements create a cadence of continuously identifying assets and risks, implementing controls and monitoring all of them – assets, risks and controls.
Maintaining that cadence takes a lot of effort but, given how quickly the typical IT environment changes and the growing threats mentioned earlier, it is necessary.

IT agility results in IT assets being deployed, integrated, decommissioned daily. That’s why at Macquarie Government we run attack surface scans daily.

New vulnerabilities are published daily, that’s why we keep our asset registers and vulnerability databases constantly up to date.

Threat tactics, techniques and procedures evolve constantly, that’s why we constantly develop new threat hunts that are intel led and threat focused.

All the above changes are why we regularly run simulations of the latest attack patterns against implemented security controls to test their continued effectiveness.

The risks to internet facing services are real and growing. This Direction, of which only three others have ever been issued, is evidence that the Commonwealth is taking it seriously and guiding all entities to strengthen their defences accordingly.

Get in touch with us.

Macquarie Government has been playing a role in protecting Australia’s government data for 2 decades now, and proud to be part of this uplift. If you are interested in how our experience and expertise can help your agency, get in touch using the form below.