Our client is a world-class smart Airport in Australia. It is built to service 10 million passengers per year and is committed to delivering seamless travel experiences for everyone who visits through smart design, technology and 24-hour service. The Airport services domestic, international and freight flights 24 hours a day with airport facilities designed for both low cost and full-service carriers.
Airports have a wide attack surface and rely heavily on the interconnectedness of various systems and technologies to operate efficiently and safely. Like all Critical National Infrastructures, Airports and the Aviation industry as a whole, are increasingly becoming targets for cyber security threats.
To mitigate these risks, airports must adopt strong cybersecurity measures, implement incident management plans, and regularly assess and update their technical practices.
For our client, safeguarding against cyber-attacks is a top priority and it recognised that its increased exposure, together with the importance of its operations, warranted an immediate assessment of its security posture against the Australian Government’s Information Security Manual (ISM), and recognised standards for maintaining cyber security and resilience.
In particular, our client wanted to understand its current cyber security posture to:
- Identify current gaps and vulnerabilities relating to existing controls and technologies.
- Define the breadth and depth of compliance and understand where investment should be made to protect critical assets.
Our cyber security compliance and maturity assessment focused on an in-depth review of our client’s abilities to protect its information assets against today’s cyber threats and was broken into five phases:
In this first phase, we confirmed the scope and agreed on the appropriate governance cycle and engagement. During this phase, we also validated the mission, objectives, and the alignment to high-level priorities.
In this second phase, we deployed a data collection tool and performed a policy and document review related to the ISM which covered our clients:
- Organisational cyber security strategy
- Information security policy and objectives
- Risk assessment and risk treatment methodology
- Inventory of assets, asset classes and acceptable use
- Internal audit program and results of past internal audits
- Results of corrective action from past internal audits
- Vulnerability management policy and procedure
- Incident management policy and procedures
- Business continuity policy and procedures
- Application and access control policies
- Information Backup policy
- Disaster recovery plan
- MFA policy
In the third phase, we analysed the results of our review. This included identifying the level of compliance and non-compliances (including the depth of non-compliance), and the quality and reliability of current documented cyber security standards against the ISM. This provided us with a view of our clients technical and operational maturity.
The penultimate Assess phase took the information gathered from our data collection, documentation review and gap analysis, and fed it into a risk assessment. This provided us with a list of information security risks to be prioritised by risk level and used to inform risk response decisions. To accomplish this objective, we assessed threats and vulnerabilities, impacts and likelihood, and other uncertainty associated with the risk assessment process.
In the final phase of our assessment, we developed a report and communicated the findings with a set of recommendations for our client to achieve Essential Eight Level 3 maturity. The results included the findings against the ISM standards and a maturity assessment, a risk assessment with qualitative and quantitative results, a response to any focus questions, a set of recommendations and prioritised actions to reduce organisational risk for our client.
Following our cyber security compliance and maturity assessment and armed with a comprehensive report of findings and recommendations, our client now has visibility of its vulnerability status across its environment. Along with this visibility, is greater insights into the risks and threat levels they pose, along with a recommended prioritised approach to the controls and actions that can be implemented to reduce exposure.
The assessment, aligned to our client’s business-specific compliance landscape and its medium to long term strategic goals, also serves as a blueprint for future investment areas to provide continual enhancement of its security posture.