foresightconsulting.com.au



Similar documents
Information System Audit Guide

Third Party Identity Services Assurance Framework. Information Security Registered Assessors Program Guide

Australian Government Information Security Manual CONTROLS

Information Security Registered Assessors Program - Gatekeeper PKI Framework Guide

The Protection and Security of Electronic Information Held by Australian Government Agencies

Gatekeeper Public Key Infrastructure Framework. Compliance Audit Program

Gatekeeper Compliance Audit Program

Australian Government Information Security Manual CONTROLS

IRAP Policy and Procedures up to date as of 16 September 2014.

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES

Additional Security Considerations and Controls for Virtual Private Networks

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

Compliance Guide: ASD ISM OVERVIEW

Application White Listing and Privilege Management: Picking Up Where Antivirus Leaves Off

External Supplier Control Requirements

University of Central Florida Class Specification Administrative and Professional. Information Security Officer

Specific recommendations

Malicious Mitigation Strategy Guide

Microsoft Office Macro Security

External Supplier Control Requirements

The Education Fellowship Finance Centralisation IT Security Strategy

Client Security Risk Assessment Questionnaire

Introduction to Cyber Security / Information Security

CAPABILITY STATEMENT

Section 1 CREDIT UNION Member Information Security Due Diligence Questionnaire

Configuring and Deploying a Private Cloud

DIR Contract Number DIR-TSO-2621 Appendix C Pricing Index

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:

INFORMATION SECURITY & GOVERNANCE SYSTEMS AND IT INFRASTRUCTURE INFOSEC & TECHNOLOGY TRAINING. forebrook

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

8/27/2015. Brad Schuette IT Manager City of Punta Gorda (941) Don t Wait Another Day

Defending against modern threats Kruger National Park ICCWS 2015

Protecting Your Organisation from Targeted Cyber Intrusion

Configuring and Deploying a Private Cloud 20247C; 5 days

ACCEPTING PAYMENT CARD ASSESSMENT Pre-Selection Questionnaire

PCI Compliance for Cloud Applications

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

Security Controls What Works. Southside Virginia Community College: Security Awareness

IT Audit in the Cloud

Gatekeeper PKI Framework. February Registration Authority Operations Manual Review Criteria

INFORMATION TECHNOLOGY SECURITY STANDARDS

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

ABB s approach concerning IS Security for Automation Systems

Critical Controls for Cyber Security.

Technology Risk Management

Microsoft s Compliance Framework for Online Services

Use of Exchange Mail and Diary Service Code of Practice

Supplier Security Assessment Questionnaire

Architecture for ACSI33 security requirements. Implementation using janusseal and Clearswift MIMEsweeper

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises

JOB DESCRIPTION CONTRACTUAL POSITION

FMCS SECURE HOSTING GUIDE

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Information, Network & Cyber Security

Director, IT Security District Office Kern Community College District JOB DESCRIPTION

IT Networking and Security

Cyber security standard

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Assuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices

MS 20247C Configuring and Deploying a Private Cloud

CLASSIFICATION SPECIFICATION FORM

Decision on adequate information system management. (Official Gazette 37/2010)

Western Australian Auditor General s Report. Information Systems Audit Report

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

New Zealand National Cyber Security Centre

Certification and Training

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

GE Measurement & Control. Cyber Security for Industrial Controls

How we see malware introduced Phishing Targeted Phishing Water hole Download (software (+ free ), music, films, serialz)

Protecting critical infrastructure from Cyber-attack

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Cyber Security Risk Management

We are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review

Protecting Official Records as Evidence in the Cloud Environment. Anne Thurston

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Top 4 Strategies to Mitigate Targeted Cyber Intrusions

Managing internet security

CyberEdge. Desired Coverages. Application Form. Covers Required. Financial Information. Company or Trading Name: Address: Post Code: Telephone:

Career Paths in Information Security v6.0

Supporting our customers with NERC CIP compliance. James McQuiggan, CISSP

How small and medium-sized enterprises can formulate an information security management system

The Next Generation of Security Leaders

Information security controls. Briefing for clients on Experian information security controls

Cloud Computing Security Considerations

Professional Services Overview

Configuring and Deploying a Private Cloud. Day(s): 5. Overview

Network and Security Controls

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

ANNEXURE A. Service Categories and Descriptions 1. IT Management

Transcription:

Mr. James Kavanagh National Security Officer Microsoft Australia Level 4, 6 National Circuit, Barton, ACT 2600 02 March 2015 Microsoft Office 365 IRAP Assessment Letter of Compliance Dear Mr. Kavanagh, This document is to act as a letter of compliance for the Microsoft Office 365 cloud service. From December 2014 through February 2015 Foresight Consulting was engaged to conduct an IRAP assessment of the Microsoft Office 365 ( Office 365 ) platform, consistent with the process prescribed in the Australian Government Information Security Manual(ISM) and Protective Security Policy Framework. The assessment was conducted by Peter Baussmann who is a registered assessor within the Australian Signals Directorate Information Security Registered Assessors Program (IRAP). Microsoft Office 365 was assessed with regard to ISM controls for unclassified but sensitive information referred to as UNCLASSIFIED (DLM). Within the ISM, these are identified as Government system (G) The scope of assessment included the following services: Office 365 Services (Exchange Online, SharePoint Online, Skype For Business and supporting service workloads); Microsoft Cloud and Infrastructure Operations (providers of the global network and physical infrastructure); and Australian Data Centre facilities. Foresight conducted the IRAP assessment in two stages: The first stage determined whether the system architecture (including information security documentation) is based on sound security principles and has addressed all applicable controls from the ISM. The second stage determined whether the controls, as approved by the system owner and reviewed during the first stage, have been implemented and are operating effectively. Validation included onsite inspections, personnel interviews, process demonstrations, configuration reviews and review of existing certification reports and evidence. Foresight Consulting also reviewed the Australian Office 365 System Security Plan and have prepared a detailed Report of Compliance documenting applicability and compliance with specific A summary of assessment findings is provided in the attached table. The principal finding of this assessment process is that the applicable Information Security Manual controls are in place and fully effective within Office 365 for the processing, storage and transmission of UNCLASSIFIED (DLM) Australian Government data. If in the future, a significant change occurs to services within scope of this assessment, Microsoft should advise an IRAP assessor for consideration of reassessment. Microsoft should also review the latest versions of the Australian Government Information Security Manual as they are published for changes to controls applicable to the service. Regards, Peter Baussmann, CISSP, CISM, CCSA, PCI-QSA, PCI-P, ASD IRAP Assessor Principal Security Consultant, Foresight Consulting 1

Information Security Risk Management Risk Assessment Foresight found the controls in place to be effective for the management of Office 365 Security Risk Management Plan information security risks. Roles and Responsibilities Chief Information Security Officer Foresight found that the roles identified met the IT Security Advisor intent of the roles described within the ISM and that team responsibilities were clearly defined. IT Security Manager IT Security Officer System Owner System Users Information Security Documentation Documentation Framework The Information Security Policies in place provide clear policy guidance and are considered to be an Information Security Policy effective security control for Office 365. System Security Plan Standard Operating Procedures Incident Response Plan Business Continuity and Disaster Recovery Plan Information Security Monitoring Vulnerability Management The Microsoft Office 365 Australia SSP clearly details security controls for the system and is considered to be an effective security documentation control for Office 365. The Microsoft Standard Operating Procedures reviewed addressed all security control areas and are considered to meet the intent of the applicable controls within the ISM. Microsoft Incident Management Standard Operating Procedures meet the ISM requirements for an Incident Response Plan and are assessed to be effective security Business continuity and disaster recovery are suitably addressed and Office 365 is considered compliant with the ISM controls relating to availability, business continuity and disaster recovery. Microsoft s vulnerability management practices are assessed as effective for the identification, 2

assessment, remediation and ongoing management of vulnerabilities. Change Management The change management process is considered an effective security control for managing changes to Office 365. Cyber Security Incidents Detecting, Reporting and Managing Cyber Security Incidents Microsoft s incident management practices are considered compliant with the ISM and an effective security control for detecting, reporting and managing security incidents relating to Office 365. Physical & Environmental Security Physical Security for Systems The physical security controls in place meet or exceed ISM requirements for storage of UNCLASSIFIED (DLM) data. Personnel Security for Information Systems Information Security Awareness & Training Authorisations, Security Clearances & Briefings Review of personnel security measures and interviews with security personnel provided assurance to Foresight that personnel security is managed effectively within the organisation. Communications Security Communications Security Communications security within assessed data centres is considered effective to meet the intent of the applicable controls within the ISM Communications Security section for the handling of UNCLASSIFIED (DLM) information. Product Security Product Security Microsoft s product security processes, combined with supporting vulnerability management, software and media security processes are assessed as an effective implementation of the ISM Product Security Media Security Media Security Foresight found effective media security controls are in place for the handling, sanitisation, destruction and disposal of media. 3

Asset Management Foresight found that asset management is performed effectively within Microsoft consistent with the requirements for UNCLASSIFIED (DLM) information. Software Security SOE Operating system security controls are considered effective for the handling and storage of UNCLASSIFIED (DLM) information. Application Whitelisting The application whitelisting controls in place meet the intent of the ISM for the effective control of permitted executables. Software Application Development Foresight found that the approach Microsoft takes to software security including secure development and deployment meets or exceeds the security requirements of the ISM. Database Systems Microsoft database security controls meet the compliance requirements for Database Systems within the ISM. Access Privileged Access Privileged access to systems is appropriately managed and monitored with controls assessed as effective with regard to applicable ISM Event Logging and Auditing Microsoft s collection and management of Office 365 system and network event logs is a thorough and effective mechanism and meets the ISM requirements for event logging and auditing. Secure Administration Secure Administration Foresight found that the reviewed security controls for secure administration are considered effective. Network Security Network Management, Design and Configuration The network management and configuration mechanisms are considered effective security controls for the transmission and handling of UNCLASSIFIED (DLM) data. 4

Ensuring Service Continuity The DDoS controls in place are considered operationally effective and meet the service continuity compliance requirements of the ISM. Intrusion Detection and Prevention The intrusion detection mechanisms within Office 365 are considered effective security controls for detecting malicious or unusual activities within a cloud environment and meet the intent of the controls contained within the ISM. Cryptography Cryptographic Security The cryptographic functions used within Office 365 are considered to be effective security Cross Domain Security Cross Domain Security The firewalling capability implemented within Office 365 is considered effective for the protection of UNCLASSIFIED (DLM) information. Data Transfers Data Transfers The security mechanisms in place for data transfer meet the intent of the ISM and are considered effective security controls for the transfer of UNCLASSIFIED (DLM) information. 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information