NEW ACSC GUIDANCE FOR MoG CHANGES

The ACSC has recognised the vulnerabilities that agencies face during MoG changes and have issued a Guideline Paper to assist agencies protect themselves during those changes (see attached).

 The Guide recognises that adversaries target organisations undergoing major organisational change because they know the disruption makes it easier for social engineering attacks. And this doesn't apply just to government agencies, the Guide is equally applicable to corporates, not for profits, and local councils who are merging.

Staff inside an organisation undergoing major organisational change will need to quickly form effective relationships with a new set of colleagues, often while operating with significant uncertainty and time pressures. And as usual, it’s the human factor that’s the weakest link, especially when targets and timelines need to be met.

For example, during major organisational change, staff may find they are under pressure to accept the validity of requests for data, payment, or access from people they don’t know, and cannot easily verify the identity and authority of that person, especially for agencies and organisations that span multiple offices (i.e. in a merged environment, you simply don't know everyone!)

While the ASCS sensibly suggests there should be “arrangements so that staff can readily verify the identity and authority of new colleagues” via introductions, org charts and trusted third parties for “ad hoc” verifications, staff need to stand their ground on information security. They should receive training and awareness reminders during MoG changes as part of an organisation's change management program.

Data migration and amalgamation are also key risks:

• Activities associated with legitimate data transfers may present an opportunity for data exfiltration. Additional security controls should be considered. The ACSC recommends using two trusted staff to oversee the transfer and verify that data is being sent to the intended destination. On significant data transfers the ACSC recommends an extra set of eyes to double check details.
• Data quality (especially for the purpose of amalgamation of systems and data for merging entities) is also covered by the Guide. The ACSC recommends the use of an Australian Signals Directorate (ASD) Approved Cryptographic Algorithms to generate a checksum prior to, and after, the transfer to ensure that data has not been corrupted or modified in transit. Imagine if a critical health record was modified!

There's a lot for merging entities to consider when it comes to records management and information/cyber security. That's why they should be specific "projects" as part of an overall change management/MoG migration program.

What agencies should do

Centium can assist agencies in working through their mergers, amalgamations and migrations by conducting risk assessments and specifying appropriate controls. Now that agencies have merged, we can help by retrospectively assessing whether any exposures have been (unintentionally) created.

For example, we can:

• Review role-based access controls to ensure that appropriate access has been granted, without any separation of duties conflicts;
• For agencies who are still in their planning stages of merging systems and data, now's the time to call us in to conduct risk assessments and to specify security, privacy, and data quality controls so that controls are considered and applied upfront;
• Help design and conduct data hygiene/quality checks for agencies who have merged systems and data;
• A big issue is the merging of disparate ISMSes. We can (and have) assist(ed) agencies to merge their ISMSes to avoid gaps and overlaps

For more information please refer to the ACSC - Mergers, Acquisitions and Machinery of Government Changes guide and contact us to find out how Centium can help you.