Skip to content

Ultimate Governance, Risk &
Compliance  (GRC) Guides

Do Australian government entities have to undertake security assessments themselves?

 

AI-powered. Integrated content.
Unique Hub & Spoke architecture.

Do Australian government entities have to undertake security assessments themselves?

Yes, Australian government entities are required to undertake security assessments themselves. This is due to the shared responsibility model, which states that while cloud service providers (CSPs) are responsible for the security of the cloud services they provide, the agency itself is responsible for the security of its own systems and data when using cloud services. The Australian Signals Directorate (ASD) has developed the Information Security Registered Assessors Program (IRAP) to provide assurance to government agencies that CSPs and their cloud services are suitable for handling government data. However, this assessment is only a starting point and government agencies must still undertake their own security assessments. Government agencies must assess the security of their own systems and data when using cloud services. This includes assessing the security controls of the CSP, such as authentication, access control, encryption, logging and monitoring. It also includes assessing the security of the systems and data deployed to the cloud, such as the configuration of the systems, the security of the data, and the security of the network. In addition to assessing the security of their own systems and data, government agencies must also assess the security of the CSP’s cloud services. This includes assessing the CSP’s security policies, procedures, and controls, as well as assessing the security of the cloud services themselves. This assessment should be performed on a regular basis to ensure that the CSP’s security controls remain up-to-date and effective. The ASD has developed the Cloud Security Assessment Report Template (CSART) to help government agencies assess the security of CSPs and their cloud services. This template is used by an IRAP assessor to assess the security of a CSP’s cloud services and is then used by the agency to conduct a risk-based review to determine if the CSP and its cloud services are suitable for handling its data. Government agencies are also able to conduct their own supplementary, new and updated cloud services assessments when they want to use a CSP’s cloud services which have not been previously assessed. This removes the need to wait for full reassessments before Agencies can adopt new cloud services. In summary, Australian government entities are required to undertake security assessments themselves in order to ensure the security of their systems and data when using cloud services. The ASD’s IRAP and CSART provide a starting point for assessing the security of CSPs and their cloud services, but it is the responsibility of the government agency to assess the security of their own systems and data, and to conduct supplementary assessments when necessary. .



6clicks is powered by AI and includes all the content you need.
Our unique 6clicks Hub & Spoke architecture makes it simple to use and deploy.

logo
logo
logo
logo
logo
logo

GET STARTED TODAY