INFORMATION SECURITY GROUP PRESENTATION

1
INFORMATION SECURITY GROUP PRESENTATION

• Infosec - Registered Assessor Program (I-RAP)

2
Title of the program

• The program is now widely known as the
  Infosec-Registered Assessor Program (I-RAP)
• It was formerly known as DRISSAP (DSD Registered
  Information Systems Security Assessment Program)
  Not any longer!

3
Who will manage the registration program and what
are the aims?

• Standards Australia are managing the program on
  DSDs behalf
• The aim of the program is to provide a pool of
  registered assessors who can undertake specific
  Commonwealth policy related IT security tasks
  traditionally conducted by DSD - the Advice
  Assistance team
• In the past, DSD has not had the resources to
  conduct some requests such as Commonwealth policy
  compliance Network reviews. I-RAP Assessors will
  soon be available to conduct this work to
  Commonwealth policy and best practice standards

4
How will the program work?(1)

• Agencies (and others) will be able to contract
  I-RAP assessors to conduct a broad range of IT
  system assessments and reviews against
  Commonwealth policy (PSM, ACSI33)
• DSD has produced guidance and checklists
  associated with this work (Commonwealth policy
  mandatories identified)
• Systems completing successful I-RAP assessment
  will be issued with certificates that IT systems
  meet Commonwealth policy and best practice
  standards

5
How will the program work?(2)

• Market forces I-RAP assessors will be free to
  set their own rates
• A list of I-RAP assessors, including short CVs,
  will be posted on the I-RAP website to be hosted
  by Standards Australia
• Assessors will be provided with advice from DSD
  as required when theyre conducting I-RAP work

6
Who can apply to join I-RAP?

• I-RAP is open for applications from all
  individuals who meet the requirements
• These requirements are
• Experience and/or relevant training experience
• A 2 day I-RAP course
• Passing the I-RAP entrance exam
• I-RAP registration will last for 12 months

7
What type of Commonwealth policy work will I-RAP
Assessors be able to do?

• Gateway assessments at IN-CONFIDENCE, PROTECTED
  RESTRICTED levels
• Network/System policy compliance reviews at
  IN-CONFIDENCE, PROTECTED and RESTRICTED levels
• FedLink audits of agencies that have conducted
  FedLink self-review connection at IN-CONFIDENCE
• FedLink assessments of agencies requesting
  PROTECTED participation (very similar to Gateway
  assessment)

8
Potential other areas for I-RAP

• Review of agency threat risk assessments and IT
  security documentation
• DSD are discussing other potential tasks to be
  added to the program - these may be added as
  required
• NOTE
• Technical reviews will continue to be conducted
  by the CNVT. I-RAP is not intended to be an
  endorsement of technical assessors it is an
  endorsement of Commonwealth IT Security policy
  assessors

9
Policy Procedures

• There is a Policy Procedures to govern the way
  I-RAP assessors conduct work within the program
• The Policy Procedures covers aspects such as
• Requirement to address Commonwealth mandatories
• Cost of the program
• Use of evaluated products
• Potential conflict of interest situations
• Mechanisms for dismissal from I-RAP
• Mechanisms for appeal

10
Program commencement details

• A Pilot course was held on the 12th 13th March
  - 25 participants from commercial and
  commonwealth
• The first intake of applicants will undergo
  training and sit the test in early May 2003
• Standards Australia have already commenced a
  marketing campaign for I-RAP and the first
  applicants have registered to come along to the
  first course
• DSD and Standards will discuss I-RAP at SIG 03

11
I-RAP Administrator details
Standards Australia I-RAP Administrator Terry
Ehret Telephone (02) 8206 6754 Email
irap_at_standards.com.au
12
Questions

• Questions?