Strategic Roadmap January 2016...CRCSI Information Technology Strategic Roadmap January 2016...

!

CRCSI Information Technology

Strategic Roadmap 27 Jan 2016

CRCSI Information Technology Strategic Roadmap January 2016

27/01/2016

CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! of 54!

!

Introduction!

This%document%comprises%the%IT%Review%and%Strategy%Roadmap%as%undertaken%by%The%Right%IT%on%

behalf%of%the%CRCSI.%This%document%is%aimed%at%providing%the%key%stakeholders%of%the%CRCSI%with%a%

high%level%overview%of%existing%IT%and%offer%a%number%of%recommendations%to%assist%in%addressing%

issues,%and%prioritizing%the%issues%identified%inline%with%the%CRCSI’s%requirements%and%capabilities.%%

This%document%does%not%include%detailed%technical%analysis%of%systems%or%services,%nor%does%is%

provide%policies%and%procedures.%

%

The%intended%audience%within%the%CRCSI%is%Phil%Delaney,%Melanie%Plumb,%Peter%Woodgate,%and%

Graeme%Kernich.%

%

Purpose%%

The%purpose%of%this%document%is%to%provide%the%CRCSI’%with%greater%visibility%and%understanding%

of%the%existing%technology%and%it’s%usage%within%the%CRCSI.%%It%also%provides%an%understanding%of%

potential%risks,%skills%gaps,%and%areas%for%change%or%improvement%in%line%with%the%CRCSI’%broader%

objectives%and%requirements.%%In%addition%to%provide%options%for%addressing%the%issues,%prioritising%

the%issues,%and%focusing%on%Australian%hosted%solutions%where%possible.%

%

%

Associated!Individuals!

The%following%individuals%were%involved%in%the%review.%

%% CRCSI%Key%Stakeholders;%%

L Phil%Delaney%%

L Melanie%Plumb%

L Peter%Woodgate%

L Graeme%Kernich%

%

Melbourne%University;%%

L Peter%Bruges%


27/01/2016


L Thavi%Bouphasavanh%%

%

The%Right%IT;%

• Julian%Ryan%

• Nathan%Krake%

• Chama%Wickz%

• Matt%McInnes%(external%advisor)%

%

CRCSI%Additional%Staff;%

• Nathan%Quadros%

• Riyas%

• Samantha%Bain%

• Phil%Tickle%

• Darren%Mottolini%

• Jessica%PurbrickLHerbst%

!


27/01/2016


!

Introduction*..............................................................................................................................................................*2!

1! Strategic*Roadmap*Summary*......................................................................................................................*7!1.1! Strategic+Roadmap+Objectives+.....................................................................................................................................+7!1.2! Roadmap+Recommendations+summary+...................................................................................................................+8!A.! Migrating+to+Office+365+.....................................................................................................................................................+9!B.! Endpoint+&+Application+Access+Security+–+initial+phase+....................................................................................+10!C.! Security+Focused+Culture+(Policy+&+Education)+....................................................................................................+11!D.! Establishing+a+CRM+Project+...........................................................................................................................................+12!E.! Future+Considerations+.....................................................................................................................................................+13!

2! The*Existing*IT*Landscape**=*here’s&where&you’re&at*..........................................................................*14!2.1! Policy,+Culture,+and+Capability+...................................................................................................................................+14!2.1.1! Policy!Commentary!.........................................................................................................................................!14!2.1.2! Culture!Commentary!......................................................................................................................................!15!2.1.3! Existing!CRCSI!Risk!Management!Controls!...........................................................................................!15!2.1.4! Passwords!and!Password!Management!.................................................................................................!16!2.1.5! Skills!Gap!Analysis!...........................................................................................................................................!17!

2.2! Infrastructure+...................................................................................................................................................................+18!2.2.1! Network!&!Phone!System!(Melbourne!University!services)!.........................................................!18!2.2.2! Network!Security!@!Lygon!St!office!.........................................................................................................!18!2.2.3! IP!Address!Allocation!at!Lygon!St!.............................................................................................................!19!2.2.4! Tensia!Finance!Server!....................................................................................................................................!20!2.2.5! Spare!&!Unused!Equipment!.........................................................................................................................!20!2.2.6! Local!Storage!Devices!.....................................................................................................................................!20!

2.3! Systems+&+Applications+.................................................................................................................................................+21!2.3.1! Applications!in!use!...........................................................................................................................................!21!2.3.2! Device!hardening!..............................................................................................................................................!22!2.3.3! Antivirus!and!PC!Security!.............................................................................................................................!22!

2.4! Data+Management+..........................................................................................................................................................+22!2.4.1! GIS!data!sets!........................................................................................................................................................!22!2.4.2! Financial!Data!....................................................................................................................................................!22!2.4.3! Software!development!/!Source!code!.....................................................................................................!23!2.4.4! Dropbox!Data!.....................................................................................................................................................!23!2.4.5! Gmail!Email!Mailboxes!...................................................................................................................................!23!2.4.6! Contact!Lists!.......................................................................................................................................................!23!2.4.7! Data!Integrity!and!Backups!..........................................................................................................................!23!2.4.8! ‘Project’!Review!Process!and!Research!data!........................................................................................!24!

3! Identified*Areas*for*Review*=*here’s&what&the&issues&are*.................................................................*25!3.1! Policy+&+Culture+................................................................................................................................................................+25!3.1.1! Limited!Policy!Awareness!............................................................................................................................!25!3.1.2! Not!a!Security!Focused!Culture!..................................................................................................................!25!3.1.3! Password!Management!.................................................................................................................................!26!

3.2! Process+&+Capability+.......................................................................................................................................................+26!3.2.1! CRCSI!Software!/!Source!Code!Management!.......................................................................................!26!3.2.2! Informal!Technical!Support!.........................................................................................................................!27!

3.3! Data+Protection+................................................................................................................................................................+27!3.3.1! Data!Backups!......................................................................................................................................................!27!3.3.2! Data!Encryption!................................................................................................................................................!27!3.3.3! Dropbox!Folder!Permissions!.......................................................................................................................!27!3.3.4! Dropbox!Logins!.................................................................................................................................................!28!


27/01/2016


3.3.5! Personal!Device!Usage!...................................................................................................................................!28!3.3.6! Antivirus!and!Antimalware!..........................................................................................................................!29!3.3.7! No!Restrictions!on!Outgoing!Internet!Traffic!.......................................................................................!29!

3.4! Systems+&+Applications+.................................................................................................................................................+29!3.4.1! Mobile!Phones!as!primary!phone!..............................................................................................................!29!3.4.2! Gmail!......................................................................................................................................................................!29!3.4.3! Application!updates!&!Patches!...................................................................................................................!30!3.4.4! Data!Sovereignty!..............................................................................................................................................!30!3.4.5! Telephony!System!............................................................................................................................................!31!

4! Roadmap*Recommendations*=*here’s&what&we&suggest*....................................................................*32!4.1! Policy+and+Culture+Recommendations+...................................................................................................................+33!4.1.1! Password!and!Password!Management!Policy!.....................................................................................!33!4.1.2! Personal!Mobile!As!Primary!Phone!..........................................................................................................!33!4.1.3! Update!Personal!Device!Usage!Policy!.....................................................................................................!34!4.1.4! Creating!Security!Focused!Culture!...........................................................................................................!35!4.1.5! Insurance!Requirements!of!Data!Management!...................................................................................!35!4.1.6! Define!Policy!on!Data!Management!and!Storage!................................................................................!36!4.1.7! Review!Source!Code!Management!............................................................................................................!36!4.1.8! ISO!Standard!27001!–!Guiding!Principals!.............................................................................................!37!4.1.9! Research!Data!and!Project!Review!Data!................................................................................................!37!4.1.10! Document!Sensitivity!Rating!....................................................................................................................!38!

4.2! Process+&+Capability+Recommendations+...............................................................................................................+39!4.2.1! New!Systems!or!Applications!Process!....................................................................................................!39!4.2.2! New!Equipment!Purchasing!Process!.......................................................................................................!39!4.2.3! New!Staff!Entry!&!Exit!Process!...................................................................................................................!39!4.2.4! Increased!End!User!Education!&!Training!............................................................................................!40!4.2.5! Technical!Support!Escalation!Process!&!Partnership!......................................................................!40!4.2.6! Creation!of!Local!PC!Administrator!On!All!Computers!....................................................................!40!4.2.7! Increased!Clarity!on!Defined!Applications!For!Use!...........................................................................!41!4.2.8! Contact!List!Management!.............................................................................................................................!41!4.2.9! Product!Development!and!Management!................................................................................................!41!

4.3! Data+Protection+Recommendations+........................................................................................................................+42!4.3.1! 2!Step!Verification!/!Authentication!for!Dropbox!..............................................................................!42!4.3.2! Review!Dropbox!Folder!Permissions!......................................................................................................!42!4.3.3! Implementation!of!Complex!Phone!PIN!/!Passcodes!.......................................................................!42!4.3.4! Bitdefender!AV!/!AM!Security!Software!on!PCs!..................................................................................!42!4.3.5! Activate!Remote!Wipe!Dropbox!Capabilities!.......................................................................................!43!4.3.6! Laptop!/!PC!Backup!to!Local!NAS!.............................................................................................................!43!4.3.7! Office!Backup!of!Dropbox!Data!..................................................................................................................!43!4.3.8! Periodic!Dropbox!Administrator!Password!Change!&!Roll!Review!...........................................!43!4.3.9! Device!Hardening!.............................................................................................................................................!43!4.3.10! Implement!Auto!Wipe!of!Mobile!Phones!.............................................................................................!44!4.3.11! Reviewing!Application!Whitelisting!and!restricting!Outgoing!Internet!Traffic!.................!44!

4.4! Systems+and+Applications+Recommendations+.....................................................................................................+45!4.4.1! Migration!to!Office!365!for!Email!&!Contact!Management!............................................................!45!4.4.2! Application!Updates!&!Patching!................................................................................................................!45!4.4.3! Review!Group!Collaboration!Requirements!.........................................................................................!45!4.4.4! Evaluate!Cloud!Based!Financial!System!.................................................................................................!46!4.4.5! CRM!Project!........................................................................................................................................................!46!4.4.6! Network!Strategy!Post!Melbourne!University!.....................................................................................!46!4.4.7! Remote!Access!to!GIS!Data!...........................................................................................................................!47!4.4.8! Corporate!File!Systems!and!Non!GIS!Data!.............................................................................................!47!


27/01/2016


5! Annex*1*=*Recommendations*Matrix*......................................................................................................*49!

6! Annex*2*–*Department*of*Defence*CSOC*–*Top*35*Strategies*to*Mitigate*Targeted*Cyber*

Intrusions*...............................................................................................................................................................*51!

7! Annex*3*–*Existing*CRCSI*Risk*Management*Controls*......................................................................*53!%


27/01/2016


1 Strategic!Roadmap!Summary!

Included%within%this%summary%are%an%overview%of%the%Strategic%Roadmap%Objectives%and%the%5%Key%

Roadmap%Recommendations.%

Including%this%summary,%the%document%is%structured%into%4%sections;%

1. Strategic!Roadmap!Summary!

2. The!Existing!IT!Landscape!!@!here’s&where&you’re&at!

3. Identified!Areas!for!Review!@!here’s&what&the&issues&are!

4. Roadmap!Recommendations!@!here’s&what&we&suggest!

!

1.1 Strategic&Roadmap&Objectives&

The%objectives%of%this%strategic%roadmap%are%to%assist%the%CRCSI%in%addressing%deficiencies%and%

developing%a%policy%framework%for%future%ICT%initiatives%and%ongoing%management.%%This%

document%provides%the%CRCSI%a%more%informed%view%of%how%existing%technology%and%practices%

can%be%improved%or%changed%to%increase%and%assist%with%the%mid%term%objectives%of%the%

organisation.%%%

%

The%roadmap%recommendations%address%a%number%of%existing%areas%for%improvement,%and%

improved%management%and%mitigation%of%risks%and%threats%facing%the%CRCSI%from%a%technology%

and%cyber%security%perspective.%%

%

Through%the%review%we%have%defined%5%key%strategic%principals%to%inform%and%influence%the%

roadmap%recommendations%for%the%CRCSI.%

%

The%key%strategic%principals%guiding%the%roadmap%are;%

• Increase!ICT!Security!

• Increase!ICT!Sophistication!

• Maintain!Agility!and!Adaptability!

• Maintain!Productivity!and!increase!Efficiency!

• Create!a!Security!Focused!Culture!


27/01/2016


1.2 Roadmap&Recommendations&summary&

By%enlarge%we%believe%that%the%existing%strategy%of%cloud%based%services%is%suitable%for%the%CRCSI,%

and%this%strategy%should%be%maintained%for%core%services%in%conjunction%with%addressing%issues%

identified%through%out%this%review.%

%

Within%the%roadmap%are%5%key%recommendations%that%address%a%large%number%of%the%issues%

identified%and%the%individual%recommendations%to%resolve%and%manage%those%issues.%%

Each%of%these%Key%Roadmap%Recommendations%provides%an%overarching%strategy%to%the%individual%

recommendations%identified.%

%

The%Key%Roadmap%Recommendations%are;%

A. Migrating!to!Office!365!@!Q1!2016!

B. Endpoint!&!Application!Access!Security!@!Q1!2016!

C. Security!Focused!Culture!(Policy!&!Education)!@!Q1/2!2016!(and!ongoing)!

D. Establishing!a!CRM!Project!–!Q2/3!2016!

E. Future!Considerations!–!Q2@4!2016!&!beyond!

%

Each%of%these%key%recommendations%is%summarized%individually%below.%%Individual%/%specific%

recommended%actions%and%initiatives%are%outlined%in%section%4%of%this%document,%Roadmap!

Recommendations!@!here’s&what&we&suggest!

%

A%summarized%list%of%specific%recommendations%is%provided%in%Annex%1%–%Recommendation%Matrix%%

The%Recommendation%Matrix%also%outlines%the%related%Timeline,%Action,%Implementation%Effort,%

Exposure%&%Importance,%and%Impact%&%Relevance%of%each%specific%recommendation.%%%

%


27/01/2016


A. Migrating&to&Office&365&

This%key%recommendation%addresses%a%number%of%existing%issues%and%subsequent%

recommendations,%and%as%such%becomes%a%key%part%of%the%strategic%roadmap.%%%

%

What&is&Office&365?%%%In%the%context%of%this%recommendation%to%the%CRCSI,%Office%365%comprises%a%

combination%of%features%and%applications%in%the%form%of%a%cloud%business%service%from%Microsoft.%%

The%features%incorporate%Microsoft%Exchange%Email%capabilities,%centralised%Directory%

Management,%the%suite%of%Microsoft%Office%applications,%and%a%number%of%collaboration%tools%and%

further%options.%

%

Specific%to%the%recommendations%and%issues%identified%at%the%CRCSI,%Office%365%provides%the%

following%benefits;%

• Centralised!email!management!and!administration!

• Mobile!Device!Management,!remote!wipe!

• Password!Change!&!Complexity!Enforcement!

• MS!Office!updates!and!patching!

• Possible!Collaboration!Tools!

• Authoritative!Contacts!List!Location!

• Increased!User!Verification!&!authentication!

• Dropbox!Integration!

• Australian!based!data!storage!(Data!Sovereignty)!!

%


27/01/2016


B. Endpoint&&&Application&Access&Security&–&initial&phase&

This%roadmap%element%comprises%a%number%of%actions%relating%to%a%variety%of%security%issues%

identified%relating%to%inconsistencies%and%low%levels%of%security%on%staff%devices%and%applications%

in%use.%%%

%

The%initial%actions%recommended%for%increasing%endpoint%/%device%&%application%access%security%

include;%

• Implementing!Bitdefender!Endpoint!Security!(Best!in!class,!cloud!managed!Antivirus!/!

Antimalware!solution)!

• Dropbox!2!step!verification!

• Dropbox!permissions!update!

• Password!&!PIN!strengthening!policy!(including!applications!and!devices)!

• Reducing!Personal!Device!usage!and!access!to!corporate!data!

• Source!code!management!changes!&!further!review!!

o Clear!IP!accountability,!access,!and!management!

%


27/01/2016


C. Security&Focused&Culture&(Policy&&&Education)&

The%key%element%around%this%recommendation%is%to%increase%and%then%maintain%the%education%

and%awareness,%of%the%importance%and%need%for%a%security%consciousness%with%the%staff.%%This%

review%process%has%in%itself%provided%an%initial%step%in%creating%greater%awareness%of%the%

importance%of%security.%The%individual%recommendations%that%relate%to%this%objective%of%creating%a%

security%focused%culture%are%mainly%around%staff%education%of%policies%(both%new%and%existing)%

through%increased%communication%and%clarity.%In%addition,%this%includes%creating%specific%

awareness%of%why%changes%are%happening%within%the%organization.%%

%

The%short%term%area’s%that%this%education%and%awareness%relate%to%are;%

• Use!of!personal!devices!(phones!and!home!computers)!

• All!changes!relating!to!the!Endpoint&&&Application&Access&Security!changes!

• Password!management!policies!

• Clarity!on!what!is!the!CRCSI’s!sensitive!information,!how!to!identify!it,!and!related!

policy!

• The!main!behavioral!vulnerabilities!that!affect!and!undermine!security!measures!

• Reframing!the!ideology!of!personal!trust!as!compared!to!controlling!vulnerability!and!

limiting!risk!

%


27/01/2016


D. Establishing&a&CRM&Project&

The%fourth%roadmap%recommendation%is%to%undertake%a%CRM%project.%%Currently%the%CRCSI%has%a%

fragmentation%of%both%the%relationship%lifecycle%with%partners%/%clients,%in%addition%to%sales%and%

business%development%processes.%%The%implementation%of%a%suitable%CRM%is%also%an%important%

element%in%the%transition%of%the%CRCSI%becoming%a%private%equity%organization.%%

%

Internally%reviewing%the%business%processes%and%ideal%requirements%that%relate%to%these%areas%of%

the%business%will%provide%an%opportunity%to%create%a%foundation%for%improving%visibility%in%addition%

to%deepening%the%BDM%team%activities%into%the%organization.%%

An%effective%and%suitable%CRM%will%also%deliver%improvements%in%areas%such%as;%

• Consistency!of!application!use!

• Increased!collaborative!awareness!

• Communication!tracking!and!relationship!visibility!

• Reduced!technology!islands!that!presently!exist!with!contacts!&!some!BDM!documents!

%

The%CRM%project%initial%action%is%to%identify%organizational%requirements%and%business%process%

analysis,%both%current%and%foreseeable.%%After%which%the%evaluation%of%potentially%suitable%CRM%

products%/%services%would%be%undertaken%whilst%considering%the%key%strategic%principals.%

%


27/01/2016


E. Future&Considerations&

Future%considerations%are%those%items%that%have%been%identified%as%relating%more%to%events%and%

changes%over%the%coming%1%to%3%years%or%requiring%additional%planning%and%discussion.%%The%

actionable%elements%of%these%recommendations%includes%the%consideration%of%identified%items%in%

the%strategic%outlook%of%the%organization,%and%the%budgeting%of%these%possible%changes%/%

activities.%%%

%

Some%specific%recommendations%that%are%included%within%this%roadmap%area%are;%

• Network!and!Telecommunication!services!strategy!post!Melbourne!University!campus!

• Cloud!deployed!GIS!Data!&!Azure!like!service!utilization!–!Domestic!data!locality!

• Use!of!‘pay!as!you!go’!cloud!computing!resources!for!large!computation!activities!

• Using!the!guiding!principals!of!ISO!Standard!27001!–!Information!Security!Standard!

• Laptop!/!PC!backups!to!local!NAS!

• Device!encryption!

• Domestic!(Australian)!backup!of!all!Dropbox!data!(or!relocation!to!alternative!in!

Australia)!

• Cloud!based!financial!system!

• Product!Development!!(capitalizing!on!IP!and!source!code)!

%


27/01/2016


2 The!Existing!IT!Landscape!!@!here’s&where&you’re&at!

The%following%section%provides%a%summary%of%the%existing%IT%landscape%of%the%CRCSI%as%discovered%

in%the%review.%%%

%

In%addition%to%the%information%below,%please%refer%to%the%CRCSI%Staff%Interviews%Summary%

document%that%contains%more%detailed%information%and%findings%following%a%number%of%oneLonL

one%interviews%with%key%CRCSI%staff.%%

%

2.1 Policy,&Culture,&and&Capability&

2.1.1 Policy!Commentary!

In%comparative%terms%for%organisations%of%similar%size,%the%CRCSI%has%well%developed%policies%

relating%to%IT.%%There%are%a%number%of%existing%policies%and%procedures%relating%to%individual%areas%

of%the%IT%within%the%CRCSI.%%These%incorporate%some%important%elements%and%include;%

o Data%storage%and%management%

o Business%Continuity%

o Collaboration%and%Communication%

o Support%

o Expected%Conduct%

o Intellectual%Property%protection%and%management%

%

These%individual%policies%are%specifically%relating%to%

o Intellectual%Property%

o Dropbox%

o Business%Continuity%

o HR%Handbook%(conduct%related%–%not%yet%released)%

o Media%&%Social%Media%

%


27/01/2016


2.1.2 Culture!Commentary!

The%CRCSI%offers%the%staff%a%high%level%of%autonomy%and%flexibility%in%how%they%utilize%IT%equipment%

and%resources%to%meet%individual%functions%and%objectives.%%There%also%appears%to%be%some%

internal%product%specific%or%IT%champions%with%specific%domain%or%application%knowledge%that%is%

leveraged%quite%well%amongst%the%team.%%

%

A%further%observation%to%this%however,%is%that%in%some%cases%the%domain%knowledge%is%not%

necessarily%part%of%core%job%function%and%as%such%may%be%a%distraction%and%possibly%unproductive%

for%those%individuals%assisting%or%educating%others.%

%

Additionally%there%is%a%high%degree%of%collaborative%intention%in%achieving%organizational%

objectives.%This%is%evident%from%the%high%level%of%care%and%consistency%amongst%those%individuals%

interviewed.%%%

The%IT%tools%used%for%actual%collaboration%however%are%inconsistent%and%not%well%known.%%

%

Staff%have%a%favourable%view%of%using%personal%devices%for%work%purposes.%%

%

Most%staff’%operate%on%a%common%sense%approach%to%a%few%key%area’s%relating%to%IT,%namely;%

• Password%creation%and%management%

• Management%of%sensitive%information%

• Data%storage%and%management%%

%

2.1.3 Existing!CRCSI!Risk!Management!Controls!

The%CRCSI%has%identified%a%number%of%risks%relating%to%IT%as%outlined%within%the%CRCSI%Risk%

Management%Plan%&%Register%V1.4%(May2015).%%These%have%been%summarized%within%this%

document%in%Annex%3%for%reference%purposes.%

%

The%précis%of%these%risks%and%existing%management%are;%

Key!points!of!the!risks!

o Commercialisation%and%protection%of%Intellectual%Property%


27/01/2016


o Business%Continuity%and%geographic%/%office%dependency%

o Loss%of%research%data%

o Loss%of%corporate%data%(operationally%disruptive%loss)%

o Theft%or%misuse%of%data%

Key!strategies!of!managing!this!risk!

o Project%Leaders%manual,%significant%ownership%of%risk%management%on%Project%Leaders%

o User%habits%and%processes%and%individual%sense%of%ownership%

o Data%backups%and%redundancy%

o Anti%Virus%/%Spam%filtering%&%Firewalls%

o A%number%of%internal%policies%and%procedures%(both%prevention%and%response)%

%

2.1.4 Passwords!and!Password!Management!

Staff’%are%not%aware%of%any%CRCSI%policy%on%Passwords%and%Password%Management.%%This%is%

evident%by%the%variety%of%methods%and%practices%used%by%interviewed%staff%in%the%creation,%

storage,%and%management%of%their%Passwords%for%corporate%services%and%systems.%

%

The%creation%of%passwords%and%their%relevant%complexity%is%very%much%based%on%an%individual’s%

perception%of%the%specific%importance%of%the%relevant%service%or%system,%combined%with%their%

individual%awareness%and%subjective%view%on%what%is%‘suitably%complex’.%%%%

%

In%many%instances%staff%do%not%have%the%same%passwords%for%the%core%systems%and%applications%

used%by%the%CRCSI,%and%many%also%deemed%that%‘suitably%complex’%included%a%variety%of%CAPITAL%

letters,%lowercase%and%Numbers.%%Most%staff%cited%8%–%12%characters%as%the%typical%password%

length%that%they%would%use.%

%

Password%management%and%storage%location%is%highly%inconsistent.%Varying%from%managing%

password%only%in%an%individuals%head,%to%relying%on%a%register%maintained%by%Wendy%for%some%

systems.%%Other%storage%locations%of%passwords%included,%files%in%Dropbox,%notes%on%mobile%

phones,%cached%Google%cookies,%emails,%cached%within%applications%and%browsers.%%

%


27/01/2016


2.1.5 Skills!Gap!Analysis!

Interviews%with%staff%suggest%a%few%areas%of%potential%improvement;%

• Gmail%usage%and%capabilities%

• Use%of%CRM%

• Internal%IT%support%

• End%user%training%on%systems%/%applications%

• End%user%education%on%CRCSI%policies%and%procedures%

• Group%collaboration%tools%

%


27/01/2016


2.2 Infrastructure&

For%benchmarking%the%existing%systems%and%infrastructure%in%use%at%the%CRCSI%the%current%systems%

were%also%evaluated%in%conjunction%with%the%top%35%Strategies%to%Mitigate%Targeted%Cyber%

Intrusions,%as%outlined%by%the%Cyber%Security%Operations%Centre%of%the%Department%of%Defense%

Intelligence%and%Security.%Annex%2%provides%a%summary%table%of%the%current%and%planned%

compliance%with%the%various%mitigation%strategies.%

%

Of%those%mitigation%strategies%relating%to%network%related%infrastructure,%the%Melbourne%

University%services%utilized%by%the%CRCSI%provide%a%high%degree%of%resilience%and%protection.%For%

those%mitigation%strategies%relating%to%PC%/%endpoint%and%end%user%practices%there%are%a%number%

of%existing%deficiencies.%%These%are%discussed%individually%within%this%document.%

!

2.2.1 Network!&!Phone!System!(Melbourne!University!services)!

The%Melbourne%University%services%of%Network%&%Phone%system%infrastructure,%provides%the%

CRCSI%with%a%complete%and%mature%network%environment%within%the%Lygon%St%office.%%The%

Melbourne%University%network%is%a%comprehensive,%well%funded,%secure,%and%well%managed%

‘Campus’%network%of%an%Enterprise%standard.%%%

With%Melbourne%University’s%use%of%best%of%bread%Cisco%infrastructure%and%best%practice%campus%

design,%this%provides%the%CRCSI%with%a%highLgrade%network%infrastructure.%%It%would%be%a%great%

expense%to%build%a%comparable%network.%

%

The%existing%phone%system%is%a%robust%and%mature%Enterprise%IP%Telephony%deployment%within%

the%Cisco%Unified%Communications%suite.%%

%

2.2.2 Network!Security!@!Lygon!St!office!The%Communications%rack%is%housed%in%a%secure%room%with%restricted%access,%inside%the%CRCSI%

tenancy.%The%room%is%well%ventilated%and%room%temperature%was%suitable%for%the%infrastructure.%%

This%provides%suitable%physical%security,%with%the%exception%that%the%level%5%coLtenant%(IBM%

Research)%also%has%physical%access%to%the%room.%


27/01/2016


The%power%cables%on%the%floor%and%around%the%communications%rack%were%unorganized%and%

untidy.%This%represents%operational%risk%of%unplanned%equipment%power%outages,%however%it%

remains%unclear%to%what%extent%the%unorganized%power%is%solely%related%to%the%IBM%equipment.%

%

The%network%equipment%provided%by%Melbourne%University%at%Lygon%St%is%enterprise%grade%Cisco%

hardware,%providing%redundancy%by%design,%including%redundant%fibre%optic%connectivity%back%to%

the%Melbourne%University%network%core.%

%

The%logical%security%of%the%network%restricts%access%to%only%authorized%devices.%This%provides%a%

very%effective%mitigation%strategy%in%preventing%potential%risk.%%All%network%access%&%authorization%

is%managed%through%formal%requests%to%Melbourne%University%and%then%managed%internally%

within%Melbourne%University%HR%&%Network%procedures.%

%

The%network%is%also%logically%separated%from%all%other%Melbourne%University%edge%networks,%

providing%suitable%segmentation%and%segregation.%

%

2.2.3 IP!Address!Allocation!at!Lygon!St!The%IP%address%range%for%the%office%is%a%private%address%space%10.1.216.0%/22%(.216.0%–%219.255),%

and%is%managed%by%Melbourne%University.%%DNS%is%also%within%Melbourne%University%network.%

%

All%devices%are%allocated%their%IP%address%dynamically%and%automatically%via%DHCP%within%the%

network.%%

%

Printers%(network%connected)%are%set%with%static%IP%addresses%and%these%are%allocated%Public%IP%

addresses%(Internet%addresses).%%By%default%within%the%Melbourne%University%network%all%incoming%

ports%from%the%Internet%are%blocked.%%Any%requirements%for%open%ports%for%incoming%connections%

are%done%a%per%application%basis%through%the%network%operations%group%at%Melbourne%University.%

%


27/01/2016


2.2.4 Tensia!Finance!Server!The%existing%Tensia%Finance%server%is%a%fully%managed%service%and%equipment%by%Federation%

International.%This%service%includes%backups,%maintenance,%disaster%recovery,%remote%

administration.%

%

Full%daily%backups%are%provided%which%are%then%copied%to%managed%cloud%backup%space.%%

Server%Health%checks%are%performed%every%2%weeks,%with%remote%maintenance%done%via%IDRAC%

(Dell%DRAC).%

%

Contact%details:%Mark%Vasudeva%0394313300.%%Federation%International%Pty%Ltd.%

%

2.2.5 Spare!&!Unused!Equipment!Currently%there%are%a%number%of%devices%that%are%unused%that%remain%in%the%office.%%These%include%

old%PC’s%and%desktop%computers,%1%laptop.%%These%are%largely%unsecured%beyond%being%in%the%

secure%office%space.%

There%are%a%few%spare%monitors%(new)%and%laptop%docking%stations%within%the%office%also.%

%

2.2.6 Local!Storage!Devices!Currently%there%are%4%local%storage%devices%primarily%used%for%the%storage%and%management%of%GIS%

Data.%2%of%these%devices%are%available%on%the%Network,%and%2%are%directly%connected%via%USB%to%

individual%computers%as%required.%

These%devices%are%Drobo%NAS%(Network%Attached%Storage)%with%built%in%off%the%shelf%Raid%

protection%on%the%hard%disks.%Each%Drobo%NAS%provides%approximately%15TB%of%usable%space.%

%


27/01/2016


2.3 Systems&&&Applications&

2.3.1 Applications!in!use!Currently%there%are%small%number%of%core%applications%/%systems%used%in%addition%to%some%

department%specific%and%peripheral%/%individually%used%applications%

%

Core%applications%include;%

• Gmail%for%email%and%calendaring%

o Staff%use%a%combination%of%web%browser,%IMAP%/%POP%clients,%and%Mobiles%to%

access%the%Gmail%services.%

o Accounts%are%individual%Gmail%mailboxes%with%a%domain%redirection%service%

mapping%all%@crcsi%email%alias’%to%the%individual%Gmail%mailbox.%

• Dropbox%for%File%&%Document%storage%&%management%

o Staff%use%a%combination%of%work%PC’s%/%Laptops,%Home%PC’s,%and%Mobiles%to%access%

Dropbox%services.%

• Microsoft%Office%for%file%and%document%creation%and%editing%

• Personal%preference%in%web%browsers%

%

Department%specific%applications%in%use%

• Pipedrive%CRM%–%for%basic%BDM%pipeline%management%

• Tensia%for%financial%and%accounts%

• Visual%Studio%for%software%development%management%

• Mailchimp%for%auto%responder%and%email%campaign%management%

%

Peripheral%applications%in%use;%

• Google%Drive%for%files%and%document%creation%/%collaboration%

• Software%development%tools%in%use%

• Internally%developed%Source%code%/%applications%

%


27/01/2016


2.3.2 Device!hardening!

There%are%currently%no%measures%in%place%to%harden%the%security%of%data%stored%on%phones%or%

computers,%including%those%travelling%outside%of%the%CRCSI%offices%and%Australia.%%The%logical%and%

physical%protection%of%these%devices%is%limited%to%password%protection%or%simple%PIN%codes%on%

phones.%

%

2.3.3 Antivirus!and!PC!Security!

There%is%no%existing%ability%for%centralized%visibility%or%management%of%Computer%security%/%

Antivirus%protection%for%CRCSI%devices%or%personal%devices%with%access%to%or%copies%of%sensitive%

data.%

%

There%is%also%no%existing%corporate%policy%or%consistency%of%Antivirus%software%on%PC’s.%%Many%PCs%

have%McAfee%anti%virus%software,%often%the%preinstalled%version%at%the%time%of%purchase.%

%

Gmail%is%providing%a%high%level%of%protection%from%incoming%SPAM%and%malicious%email%content.%%

%

2.4 Data&Management&

2.4.1 GIS!data!sets!GIS%Data%is%largely%managed%on%the%Drobo%NAS%devices%as%highlighted%above,%in%addition%to%

various%copies%of%the%individual%or%multiple%data%sets%in%a%number%of%locations.%These%large%

volumes%of%data%are%copied%and%moved%on%an%as%needs%basis%for%research,%analysis,%and%partner%

activities.%

%

2.4.2 Financial!Data!Financial%data%is%managed%as%part%of%the%Tensia%service%including%offsite%backups.%Management%/%

access%is%via%a%remote%desktop%session%on%the%Tensia%server,%whereby%accounts%records%and%the%

processing%remains%on%the%server.%%There%is%currently%no%remote%access%outside%of%the%office.%%

3rd%Party%financial%functions%such%as%banking%and%superannuation%are%done%via%web%browser.%


27/01/2016


%

2.4.3 Software!development!/!Source!code!Currently%CRCSI%source%code%and%software%development%is%managed%through%a%combination%of%

manual%copies%/%backups%and%the%primary%Visual%Studio%service%used%by%Riyas.%%This%seems%to%be%

an%organically%developed%and%informal%process.%%

%

2.4.4 Dropbox!Data!All%gerenal%operational%Files%&%Document%data%is%managed%and%stored%in%Dropbox%with%security%

access%at%the%folder%level%on%an%individual%user%account%basis.%Dropbox%is%discussed%with%more%

specific%topics%throughout%this%document.%

%

2.4.5 Gmail!Email!Mailboxes!Currently%there%is%no%defined%management%processes%or%access%to%individual%mailboxes%beyond%

that%of%the%individual.%There%is%limited%visibility%and%reporting%on%Email,%and%no%defined%archival%or%

access%procedures.%

%

2.4.6 Contact!Lists!Contact%lists%are%currently%managed%and%stored%in%a%number%of%locations%with%no%apparent%

authoritative%source.%%Existing%locations%of%contact%information%includes%Pipedrive,%Mailchimp,%

and%individual%address%books%and%contact%lists.%

%

2.4.7 Data!Integrity!and!Backups!

There%appears%to%be%limited%organisational%awareness%as%to%what%extent%data%is%backed%up,%how%

and%when.%There%is%currently%no%formal%data%backup%for%Dropbox%files%or%email%content%beyond%

what%is%done%by%the%relevant%Service%Provider%of%the%service%(Google,%Dropbox,%Pipedrive%etc).%%

Financial%data%and%records%are%backed%up%offsite%on%a%regular%basis%as%part%of%the%managed%Tensia%

service.%%

%


27/01/2016


Staff%that%manage%data%and%information%outside%of%the%primary%systems%(Dropbox,%Gmail,%Tensia,%

Pipedrive)%have%selfLdeveloped,%informal%procedures%regarding%backing%up%of%data.%For%example%

source%code%is%copied%to%a%local%laptop%before%major%revisions%are%made.%Multiple%copies%of%GIS%

data%are%held%in%varying%segments%in%numerous%locations,%which%is%deemed%as%backup.%

%

There%is%a%limited%knowledge%of%any%existing%process%or%plan%relating%to%recovery%from%device%

failure%or%loss.%%%

%

2.4.8 ‘Project’!Review!Process!and!Research!data!

It%is%understood%from%the%staff%interviews%that%‘Project’%submissions/documents%can%often%

contain%both%internal%and%external%stakeholder%intellectual%property.%The%current%Project%review%

processes%relating%to%who%receives%these%documents%and%related%information%could%be%reviewed%

to%further%understand%the%implications%of%sending%sensitive%information%outside%of%the%CRCSI.%%

%

According%to%the%CRCSI%Dropbox%for%Teams%Protocols%Draft%document,%currently%all%staff%have%

access%to%all%Research%data%and%folders%on%Dropbox.%%%

%


27/01/2016


3 Identified!Areas!for!Review!@!here’s&what&the&issues&are!

The%issues%identified%have%been%categorized%into%the%following%areas.%%

• Policy%&%Culture%

• Process%&%Capability%

• Data%Protection%

• Systems%&%Applications%

%

3.1 Policy&&&Culture&

3.1.1 Limited!Policy!Awareness!Most%staff%operate%on%a%basis%of%common%sense%regarding%the%protection%of%sensitive%data.%%There%

exists%an%issue%of%staff%not%being%sufficiently%aware%of,%or%educated%on%existing%policies%that%have%a%

direct%impact%on%the%protection%of%intellectual%property%and%sensitive%data.%

%

Additionally%there%are%instances%of%staff%use%a%variety%of%systems%and%applications%that%are%not%

visible%or%accessible%by%the%organization%and%the%staff%are%not%clearly%educated%on%which%

application%to%use%in%varying%circumstances.%

%

There%exists%a%lack%of%awareness%of%the%importance%and%significance%that%Dropbox%plays%in%storage%

and%retention%of%CRCSI%corporate%data.%This%results%in%a%high%degree%of%end%user%complacency%

regarding%the%security%and%management%of%data%within%Dropbox.%

%

3.1.2 Not!a!Security!Focused!Culture!Currently%the%CRCSI%does%not%have%a%strong%security%culture%amongst%staff.%%This%represents%a%high%

exposure%in%that%even%the%best%security%measures%can%be%undone%by%unintentional%actions.%%%

Current%staff%education%and%security%awareness%presents%a%large%risk.%

%

The%culture%goes%beyond%that%of%good%governance%and%policy,%and%extends%largely%into%education%

and%awareness.%


27/01/2016


3.1.3 Password!Management!There%are%a%number%of%issues%with%the%existing%management%of%passwords%within%the%CRCSI.%

These%include;%

• No%defined%policy%on%password%creation%and%complexity,%nor%storage%

• Broad%ranging%storage%habits%

• Many%nonLcomplex%passwords%in%use%

• Reuse%of%passwords%across%multiple%systems%including%personal%usage%

• Relaxed%habits%relating%to%changing%passwords%on%critical%applications%(like%Dropbox%&%

Email)%

%

3.2 Process&&&Capability&

3.2.1 CRCSI!Software!/!Source!Code!Management!The%absence%of%consistency%in%the%management,%access,%and%storage%of%CRCSI%Software%/%Source%

Code,%that%represents%key%intellectual%property%creates%a%number%of%issues.%%

%

Without%clear%policies%of%where%and%how%source%code%is%stored%creates%the%issue%of%keeping%track%

of%the%data%and%also%knowing%how%it%is%accessible.%

%

Whilst%the%existing%practice%suggests%that%there%are%ample%copies%of%the%majority%of%source%code,%

who%has%access%and%where%it%is,%is%in%itself%an%issue.%%With%copies%of%source%code%being%stored%on%

individual%laptops,%‘Drobo’%NAS%units,%VisualStudio.com%cloud%service,%and%sometimes%with%

research%partners,%who%has%access%to%it%is%very%unclear.%%Without%knowing%who%has%it,%makes%it%

almost%impossible%to%manage%effectively.%

%

The%selection%of%Visual%Studio%and%how%source%code%is%stored%outside%of%it%appears%to%not%have%

been%done%with%the%consideration%of%the%broader%CRCSI%requirements.%%As%a%side%note,%Visual%

Studio%Team%Services%is%ISO%27001:2013%certified.%

%


27/01/2016


3.2.2 Informal!Technical!Support!Currently%staff’%generally%depend%on%the%knowledge%of%other%staff%for%technical%assistance%in%the%

event%of%difficulties.%%With%a%few%known%‘product%champions’%being%the%informal%‘go%to’.%%This%

creates%the%following%issues;%

• Distraction%from%primary%function%for%the%‘go%to’%individuals%

• Occasional%frustration%if%no%one%around,%or%a%limit%of%knowledge%

• Uncertainty%as%to%how%a%problem%will%get%resolved%

• Staff%creating%inefficient%workLarounds%to%issues%

%

3.3 Data&Protection&

Who%would%benefit%from%having%CRCSI%information?%

3.3.1 Data!Backups!Currently%the%CRCSI%has%no%formal%or%structured%data%backups%beyond%that%inherent%with%the%

Dropbox%service%and%other%cloud%services.%

%

3.3.2 Data!Encryption!Currently%the%CRCSI%has%no%data%encryption%beyond%that%inherent%with%the%Dropbox%architecture%/%

service.%For%those%staff’%that%retain%sensitive%data%on%their%devices,%this%creates%a%possible%issue%in%

the%event%of%device%loss%or%theft.%%This%is%also%a%broader%issue%relating%to%those%staff%whom%take%

devices%internationally.%

%

3.3.3 Dropbox!Folder!Permissions!Existing%Dropbox%folder%permissions%appear%to%have%been%applied%based%on%what%is%deemed%as%

internally%sensitive%to%individuals%based%on%the%job%function.%%This%creates%the%issue%of%many%staff%

having%potentially%unnecessary%access%to%data,%which%they%both%don’t%require%and%are%possibly%

unaware%of%whether%it%contains%externally%sensitive%data.%

This%creates%an%issue%when%taking%a%broader%view%of%cyber%security%and%the%management%and%

protection%of%organizational%data.%

%


27/01/2016


3.3.4 Dropbox!Logins!Currently%logging%into%Dropbox%only%requires%a%username%and%password.%%Often%these%passwords%

are%nonLcomplex%and%cached%within%the%device.%In%some%instances%staff%were%unsure%of%their%

Dropbox%password,%and%used%the%same%password%for%other%systems/services.%%%

%

This%creates%the%issue%of%a%very%low%level%of%security%to%accessing%the%CRCSI’s%primary%data%storage%

system,%which%is%accessible%from%anywhere.%

%

3.3.5 Personal!Device!Usage!With%the%staff%using%personal%computers%to%access%corporate%data%(email%&%dropbox),%this%

presents%a%number%of%issues.%%Note,%these%issues%are%not%necessarily%consistent%across%the%entire%

organization.%%

%

a. The%absence%and/or%inconsistency%of%Antivirus%and%Antimalware%on%personal%computers.%%

This%creates%an%issue%where%measures%taken%by%the%CRCSI%to%protect%data%on%corporate%

devices%are%not%extending%to%all%devices%used%to%access%sensitive%data.%

%

b. Physical%access%to%personal%devices%is%in%no%way%within%the%control%of%the%CRCSI.%%This%

creates%increased%risk%of%device%compromise%and%data%theft.%

%

c. Use%of%personal%devices%ties%the%CRCSI%to%an%individuals%personal%and%social%profiling%and%

whether%they%are%likely%targets%to%a%personalized%attack.%%Malware%and%Spyware%in%

conjunction%with%‘big%data’%may%identify%individuals%as%possible%personalised%targets%for%

attack,%which%in%turn%may%inadvertently%lead%to%the%CRCSI%becoming%a%target.%%Personal%

devices%may%also%be%an%easy%target%in%a%targeted%attack%to%CRCSI%based%on%personalised%

attacks%from%publicly%available%information%about%individuals%(LinkedIn,%Facebook,%

Meetup%etc).%

%

%


27/01/2016


3.3.6 Antivirus!and!Antimalware!!Currently%the%CRCSI%has%disparate%and%inconsistent%endpoint%security%software%with%no%visibility%

or%centralized%management%of%the%PC%security%status.%%This%creates%issues%with%both%actual%

protection%of%devices%in%addition%to%an%inability%to%control%and%manage%the%devices%on%an%ongoing%

basis.%

%

3.3.7 No!Restrictions!on!Outgoing!Internet!Traffic!Currently%the%network%is%configured%to%allow%all%traffic%/sessions%originating%from%within%the%

network%to%be%deemed%‘trusted’%by%the%Melbourne%University%network.%%The%issue%that%this%

creates%is%that%should%there%be%malware%inside%the%office%it%can%expand%its%impact%by%creating%a%

connection%to%the%Internet.%

Note:%The%implications%of%changing%or%controlling%this%are%both%expensive%and%onerous.%

%

3.4 Systems&&&Applications&

3.4.1 Mobile!Phones!as!primary!phone!!Many%staff%utilize%personal%mobile%phones%as%their%primary%work%phone%for%communicating%both%

internally%and%externally.%%This%creates%the%issue%of%phone%number%and%user%relationship%retention%

when%staff%leave%the%organization.%%%

Additionally%it%reduces%visibility%to%client%/%partner%interactions%and%creates%potential%silo’s%and%

bottlenecks%within%the%organization.%%%

%

3.4.2 Gmail!Existing%use%of%the%individual%Gmail%accounts%creates%an%environment%that%is%difficult%to%manage%

and%maintain.%%This%usage%also%creates%challenges%relating%to%outgoing%staff%and%the%ongoing%

access%and%management%of%their%email%history.%

%

The%use%of%Gmail%is%broadly%assumed%knowledge%resulting%in%some%staff%unaware%of%features%and%

capabilities%and%creates%inefficiency.%

%


27/01/2016


Gmail%also%creates%limited%visibility%and%access%to%CRCSI%information%and%data%that%is%stored%in%

individual%mail%files.%%

%

Some%staff%do%not%have%offline%access%to%stored%email%content%and%predominantly%access%Gmail%

via%a%web%browser.%%This%again%creates%an%issue%of%efficiency%in%addition%to%considerations%

regarding%business%continuity.%%

%

There%is%no%effective%Administration%method%for%the%existing%environment.%

%

As%elaborated%below,%Gmail%also%presents%the%issue%of%data%sovereignty.%

%

Access%to%Gmail%when%traveling%in%China%remains%uncertain.%%(As%does%Dropbox,%however%the%data%

remains%available%offline)%

%

3.4.3 Application!updates!&!Patches!Currently%the%CRCSI%has%no%process%or%method%for%updating%applications%(patches%&%version%

upgrades)%on%devices.%%This%creates%a%major%exposure%as%new%vulnerabilities%are%identified%and%

made%public.%%These%vulnerabilities%represent%a%large%number%of%real%world%security%breaches.%%

%

3.4.4 Data!Sovereignty!Existing%cloud%services%in%use%by%the%CRCS%that%are%provided%by%Google%with%Gmail%and%Google%

Docs,%in%addition%to%Dropbox%currently%present%the%issue%of%the%data%being%housed%and%legislated%

within%the%United%States.%This%issue%implies%that%the%CRCSI%data%is%exposed%to%regulation%relating%

to%control,%access,%and%management%of%data%that%is%beyond%Australian%borders.%%%

%

The%US%Patriot%Act%can%force%organisations%to%disclose%data%and%vendors%don’t%have%to%inform%

their%customers%that%private%data%has%been%accessed.%The%CRCSI%should%consider%that%data%will%be%

under%US%jurisdiction,%and%if%wanting%increased%data%security%in%this%context%should%look%for%an%

alternative.%

%


27/01/2016


Whilst%Dropbox%files%are%encrypted%and%described%by%Dropbox%as%‘heavily%guarded’,%DropBox%data%

centres%are%located%in%the%US.%For%further%information%refer%DB%for%Business%Security%Whitepaper.%%

Standards%Certification%of%Dropbox%in%relation%to%both%Security%and%Data%Protection,%as%published%

on%dropbox.com.%

%

3.4.5 Telephony!System!

The%existing%telephony%system%is%capable%of%providing%complex%and%sophisticated%functionality,%

however%as%the%CRCSI%requirements%change,%or%approaches%commercial%independence%the%

service%provided%by%Melbourne%University%(MU)%may%not%be%flexible%within%the%confines%of%MU%

policy.%%Potentially%unable%to%be%changed%in%a%manner%that%suits%the%CRCSI.%%Examples%may%include%

remote%or%roaming%staff,%follow%the%sun%call%distribution,%call%recording,%contact%center,%or,%3rd%

party%application%integration%(eg.%CRM).%

%

We%suggest%this%be%retained%as%a%future%consideration%as%the%CRCSI%continues%to%evolve.%

%


27/01/2016


4 Roadmap!Recommendations!@!here’s&what&we&suggest!

Strategy%and%Recommendations%are%outlined%to%provide%the%best%adaptability%and%management%

of%a%constantly%changing%ICT%landscape.%%Seeking%to%best%position%an%organization%to%deal%with;%

• Known%Knowns%

• Known%Unknowns%

• Unknown%Unknowns%

%

The%recommended%actions%are%listed%in%the%following%4%sections;%

• Policy%and%Culture%Recommendations%

• Process%and%Capability%Recommendations%

• Data%Protection%Recommendations%

• Systems%and%Applications%Recommendations%

%

Each%recommendation%below%identifies%a%Title,%Strategic!Roadmap!Area,%Timeline%suggestion,%

and%Recommended!Action.%

%

Timeline%suggestions%have%been%formulated%on%The%Right%IT’s%subjective%view%of%Importance%/%

Urgency%as%a%result%of%considering%the%ease%of%implementation,%exposure%&%importance,%impact%&%

relevance.%%Annex%1%provides%a%matrix%of%the%recommendations%listed%below%and%includes%The%

Right%IT’s%view%of%these%elements.%

%

A%number%of%recommendations%and%outcomes%are%suggested%for%the%CRCSI%relating%to%Security%

and%Risk%regarding%IT%infrastructure,%services,%systems,%and%related%data.%%%

%

Security%concerns%are%largely%orientated%toward%the%ongoing%management%of%sensitive%data,%

including%Intellectual%Property%and%data%relating%to%partners%and%research%stakeholders.%

%

%


27/01/2016


4.1 Policy&and&Culture&Recommendations&

4.1.1 Password!and!Password!Management!Policy!Roadmap!Areas:!Security%Focused%Culture,%and%Endpoint%&%Application%Access%Security%

Timeline!/!Urgency:!!Q1%2016%

Recommended!Action:%Create%and%implement%a%clear%policy%on%the%creation,%complexity%and%

storage%of%passwords.%%

%

Specific%suggestions%relating%to%this%are;%

• Individual%application%&%computer%passwords%a%minimum%8%character%length%with%

Uppercase,%lowercase,%and%numbers,%or%minimum%15%character%passphrase%

• Administrative%passwords%a%minimum%of%12%character%length%with%Uppercase,%lowercase,%

numbers,%and%special%characters%

• No%familiar%words,%names,%or%dates%contained%within%the%password%

• Different%passwords%for%Computer,%Email,%and%Dropbox%systems%

• Computer,%Email%and%Dropbox%passwords%committed%to%memory%and%not%written%down%

• User%level%passwords%changed%each%6%months%at%a%minimum,%or%immediately%if%shared%

within%anyone%or%if%possibly%known%by%others%

• User%level%passwords%to%be%changed%by%Administrator%immediately%upon%staff%ceasing%

employment%

• Administrative%passwords%changed%each%3%months%at%a%minimum.%

• Not%stored%on%any%device%without%encryption%

• Do%not%use%‘Remember%Password’%features%for%any%system%containing%sensitive%

information.%

%

4.1.2 Personal!Mobile!As!Primary!Phone!Roadmap!Areas:!Security%Focused%Culture,%and%Endpoint%&%Application%Access%Security%



27/01/2016


Recommended!Action:%The%creation%/%clarification%of%a%policy%that%considers%the%CRCSI’s%ideals%

regarding%the%use%of%personal%mobiles%for%external%communications,%in%conjunction%with%record%

keeping%and%possible%number%retention%by%the%CRCSI.%%

%

Specific%suggestions%relating%to%this%are;%

• Staff%with%customer%facing%roles%must%surrender%mobile%number%to%the%CRCSI%when%

leaving%the%organization%

• Phones%must%be%backed%up%on%a%weekly%basis%

• Mobile%device%security%measures%will%extend%to%the%deletion%of%phone%data%after%10%failed%

attempts%

• The%use%of%Simple%Passcodes%(4%digit)%is%not%allowed.%Passcodes%must%comply%with%

password%complexity%requirements%

• Notification%requirements%in%the%event%of%device%loss%/%theft%

%

The%further%mid%term%recommendation%is%to%identify%which%roles%within%the%business%reasonably%

require%a%mobile%phone%to%perform%their%function%effectively%and%the%CRCSI%then%provide%them%

with%a%mobile%phone%as%part%of%a%‘corporate%plan’.%

%

4.1.3 Update!Personal!Device!Usage!Policy!Roadmap!Areas:!Security%Focused%Culture,%and%Endpoint%&%Application%Access%Security%


Recommended!Action:%Further%to%the%above%regarding%personal%mobiles,%it%is%beneficial%to%clarify%

CRCSI%policy%regarding%the%use%of%personal%devices%for%the%purpose%of%accessing%cloud%services%

(including%Dropbox,%Email,%Pipedrive,%Mailchimp).%%

%

Specific%suggestions%relating%to%this%include;%

• Include%Phones,%Tablets,%Personal%/%Private%Computers,%and%Public%Computers%

• Access%to%any%CRCSI%corporate%service%is%discouraged%unless%the%device%adheres%to%or%is%

included%within%the%management%of%the%CRCSI.%Eg%Antivirus%/%Antimalware,%Password%

complexity,%software%patching%etc.%


27/01/2016


• In%the%event%access%is%required,%to%ensure%that%any%and%all%data%is%deleted%from%the%

computer.%%Including%cookies,%documents%and%files,%and%browser%history.%

%

For%those%individuals%that%the%CRCSI%deems%the%ongoing%use%of%personal%computers%for%accessing%

CRCSI%corporate%services%is%appropriate,%the%following%recommended%security%measures%be%taken%

at%a%minimum;%

• Compliance%with%Password%Policy%

• Installation%of%CRCSI%corporate%endpoint%security%software%(Bitdefender%recommended)%

• Inclusion%of%device%in%patching%and%operating%system%updates%

%

4.1.4 Creating!Security!Focused!Culture!Roadmap!Areas:!Security%Focused%Culture%

Timeline!/!Urgency:!!Q1%2016%and%Ongoing%

Recommended!Action:%%Education,%Education,%Education.%

Providing%staff%with%education%focused%on;%

• Awareness%of%cyber%threats%and%common%attacks%

• Awareness%of%what’s%sensitive%data%&%the%policies%relating%to%it%

• Creating%a%healthy%sense%of%paranoia%

• Understanding%why%many%of%the%planned%changes%are%taking%place%

• How%does%security%relate%to%the%macro%environment%of%CRCSI%and%the%coming%years*%

• Data%distribution%policies%outside%CRCSI%staff%when%‘research%projects’%are%being%reviewed.%

• Increased%policy%communication.%What,%Why,%How.%

o Especially%regarding%management%of%sensitive%data%

%

*An%example%of%this%may%include%a%10%–%15%min%video%from%Peter%/%or%interview%format%to%provide%

the%big%picture,%of%how%CRCSI’%IP%and%Data%is%relevant%beyond%the%dayLtoLday%operations%and%

individual%research%projects.%Easy%deployment%through%Yammer,%Youtube,%Vimeo%etc%

%

4.1.5 Insurance!Requirements!of!Data!Management!Roadmap!Areas:!All.%%


27/01/2016


Timeline!/!Urgency:!!Immediate%

Recommended!Action:!Review%existing%obligations%and%requirements%relating%to%data%

management,%protection,%backup,%and%duplication%within%existing%insurance%policies.%This%may%

affect%and%influence%both%existing%and%planned%activities.!

%

4.1.6 Define!Policy!on!Data!Management!and!Storage!Roadmap!Areas:!N/A%

Timeline!/!Urgency:!!Q1/2%2016%

Recommended!Action:%Create%a%policy%that%specifically%clarifies%Data%Management%and%Storage,%

including%distribution.%%%

Data%types%that%we%suggest%to%address%specifically%are;%

• GIS%Data%(Riyas%&%Nathan%to%be%primary%influencers)%

• Source%Code%(Riyas%&%Nathan%to%be%primary%influencers)%

• Email%Archiving%

• Data%recovery%/%restore%processes%

• Work%in%progress%

• Collaborative%documents%and%files%

%

4.1.7 Review!Source!Code!Management!Roadmap!Areas:!Security%Focused%Culture,%and%Endpoint%&%Application%Access%Security%


Recommended!Action:%In%conjunction%with%Riyas%&%Nathan,%review%and%document%the%

management%of%source%code.%Including%the%management%of;%

• Internally%developed%applications%&%data%analysis%tools%

• Development%Systems,%tools%and%services%used%for%application%development%

• Source%Code%shared%with%or%provided%to%3rd%parties%and%research%participants%

• Who%has%access%and%to%what%extent%

%

%


27/01/2016


4.1.8 ISO!Standard!27001!–!Guiding!Principals!Roadmap!Areas:!Security%Focused%Culture,%and%Future%Considerations%

Timeline!/!Urgency:!!Q3%2016%and%beyond%

Recommended!Action:%To%assist%with%aligning%Information%Security%practices%and%systems%with%

best%practice%the,%it%is%suggested%that%the%CRCSI%considers%using%the%principals%of%ISO/IEC%

27001:2013%(Information%Security%Standard),%as%guiding%principals%for%the%CRCSI.%%%

This%incorporates%the%ongoing%commitment%to%establish,%implement,%maintain%and%continually%

improve%Information%Security%Management.%In%addition%to%providing%both%internal%and%external%

confidence%in%the%way%the%CRCSI%manages%it’s%systems%and%data.%

%

4.1.9 Research!Data!and!Project!Review!Data!Roadmap!Areas:!Security%Focused%Culture,%and%Future%Considerations%


Recommended!Action:%%The%CRCSI%review%the%structure%of%managing%and%storing%the%Research%

data%to%deem%whether%current%access%and%structure%is%reflective%of%the%sensitivity%of%the%data%

contained%within%and%staff%requirements%for%accessing%the%data.%

%

Note:%The%Defence%Control%Act%2012%may%have%implications%on%research%projects%in%collaboration%

with%international%partners%or%stakeholders.%It%is%suggested%that%these%implications%be%considered%

on%a%‘Project’%basis%in%addition%to%a%known%internal%policy%outlining%guidance%regarding%the%

evaluation%of%the%Act’s%relevance%to%a%project.%

For%additional%information%relating%to%the%relevance%of%the%CRCSI%data%and%projects%and%the%Act,%

refer%https://www.comlaw.gov.au/Details/F2015C00310/Download%and%

https://dsgl.defence.gov.au/Pages/Home.aspx%

%

These%resources%provide%a%specific%list%of%information%and%services%included%within%the%Act,%and%a%

self%assessment%tool%to%determine%if%your%specific%application%or%data%is%controlled%by%the%Act.%

%


27/01/2016


4.1.10 Document!Sensitivity!Rating!Roadmap!Areas:!Security%Focused%Culture,%and%Endpoint%&%Application%Access%Security%


Recommended!Action:%Update%the%existing%Document/File%naming%convention%to%include%an%

additional%2%digit%security%rating%identifier.%This%identifier%will%easily%show%the%intended%audience%

in%addition%to%the%sensitivity%of%the%content.%%

A%suggested%approach%to%this%identifies%either%Internal%or%External%audience,%along%with%a%

Sensitivity%Rating%or%Category.%%%

By%way%of%example;%

A%public%notice%may%be%categorized%as%E1.%%E%=%External%facing%content,%%1%=%No%sensitivity%

An%organizational%chart%may%be%I2.%I%=%Internal,%2%=%Low%sensitivity%

%


27/01/2016


4.2 Process&&&Capability&Recommendations&

4.2.1 New!Systems!or!Applications!Process!Roadmap!Areas:!Future%Considerations%


Recommended!Action:%Outline%a%process%that%provides%guidance%and%structure%relating%to%new%

Systems%or%Applications.%The%process%should%include;%

• Project%ownership%

• Evaluation%and%Requirement%Scoping%

• Budget%and%Procurement%Authorisation%%

• Deployment%Considerations%

• End%user%Education%and%Training%

%

4.2.2 New!Equipment!Purchasing!Process!Roadmap!Areas:!Future%Considerations%


Recommended!Action:%Outline%a%process%that%provides%guidance%and%structure%relating%to%new%

equipment%and%hardware%for%staff.%The%process%should%include;%

• Estimated%annual%budget%(equipment%refresh)%

• Individual%categorization%of%role%and%specifications%requirements%(Low,%Medium,%High%

specifications%of%PC%hardware%/%software)%

• Standard%PC/Laptop%applications%and%accessories%

• Budget%allocation%and%procurement%authorisation%

%

4.2.3 New!Staff!Entry!&!Exit!Process!Roadmap!Areas:!Future%Considerations%


Recommended!Action:%Creating%a%repeatable%ICT%related%process%for%the%account%and%system%

user%creation%&%removal%processes%for%both%new%and%exiting%staff.%The%process%should%include%

• New%account%request%process%


27/01/2016


• Application%and%System%access%&%security%details%

• Email%account%creation%standards%

• Account%removal%checklists%

• Mail%archiving,%and%availability%on%exit%including%new%email%routing%settings%(Ex%Staff)%

%

4.2.4 Increased!End!User!Education!&!Training!Roadmap!Areas:!Migrating%to%Office%365,%and%Future%Considerations%

Timeline!/!Urgency:!!Q1/2%2016%and%ongoing%

Recommended!Action:%Outline%a%process%for%enabling%and%providing%staff%with%additional%training%

and%education%on%the%effective%use%of%systems%and%application.%%The%process%should%include;%

• Estimated%annual%budget%

• Relevant%Systems%and%Applications%included%

• Request%and%approval%

• Awareness%of%availability%

%

4.2.5 Technical!Support!Escalation!Process!&!Partnership!Roadmap!Areas:!Endpoint%&%Application%Access%Security,%and%Future%Considerations%

Timeline!/!Urgency:!!Q1%2016%and%ongoing%

Recommended!Action:!Identify%and%engage%with%an%ICT%technical%services%organization%to%provide%

coordinated%ongoing%assistance%and%support%to%the%CRCSI%and%its%staff.%%

%

4.2.6 Creation!of!Local!PC!Administrator!On!All!Computers!Roadmap!Areas:!Future%Considerations%


Recommended!Action:%Create%a%common%‘local’%Administrator%account%on%CRCSI%PC’s%and%

Laptops%to%provide%underlying%access%to%the%PC’s%independent%from%the%individual%staff%accounts%

on%the%computers.%This%will%provide%improved%administration%and%management%capabilities%for%

the%computers.%

%


27/01/2016


4.2.7 Increased!Clarity!on!Defined!Applications!For!Use!Roadmap!Areas:!Future%Considerations,%and%Endpoint%&%Application%Access%Security%


Recommended!Action:%Outline%and%document%the%CRCSI’s%approved%and%preferred%list%of%

applications%for%use%by%the%staff.%This%assists%in%creating%consistency%and%preventing%‘technology%

islands’%of%unknown%application%and%service%usage.%%%

%

4.2.8 Contact!List!Management!Roadmap!Areas:!Migrating%to%Office%365%


Recommended!Action:%Utilise%Microsoft%Office%365%to%provide%the%authoritative%source%for%

Contact%Lists%and%their%ongoing%management.%(Currently%some%contact%lists%are%individually%

managed,%others%within%Mailchimp,%and%others%within%Pipedrive).%A%central%authoritative%source%

is%important%for%the%consistency,%visibility,%and%currency%of%contacts%relevant%to%the%CRCSI.%

%

4.2.9 Product!Development!and!Management!Roadmap!Areas:!Future%Considerations%

Timeline!/!Urgency:!!2017%/%18%

Recommended!Action:%As%a%long%term%consideration,%obtaining%Product%Development%and%

Management%capabilities%is%suggested%to%improve%the%commercialization%and%capitalizing%

potential%value%of%source%code%and%associated%IP%as%ICT%assets.%

%


27/01/2016


4.3 Data&Protection&Recommendations&

4.3.1 2!Step!Verification!/!Authentication!for!Dropbox!Roadmap!Areas:!Endpoint%&%Application%Access%Security,%and%Security%Focused%Culture%


Recommended!Action:%Plan%and%implement%2%step%verification%for%all%staff%accounts%accessing%

Dropbox.%

%

4.3.2 Review!Dropbox!Folder!Permissions!Roadmap!Areas:!Endpoint%&%Application%Access%Security,%and%Security%Focused%Culture%


Recommended!Action:%Review%existing%Dropbox%Folder%permissions%with%a%view%of%limiting%

access%to%individual%user%accounts%to%only%those%folders%necessary%to%perform%their%role%

effectively%and%efficiently.%The%purpose%of%this%is%to%limit%data%loss%risk%in%the%event%of%individual%

account%compromise.%%%

%

4.3.3 Implementation!of!Complex!Phone!PIN!/!Passcodes!Roadmap!Areas:!Endpoint%&%Application%Access%Security,%and%Security%Focused%Culture%


Recommended!Action:%Enforce%the%removal%of%simple%PIN%/%passcodes%use%on%mobile%devices.%

Enforcing%the%use%of%complex%passcodes%in%accordance%with%the%new%Password%Policy.%%

%

4.3.4 Bitdefender!AV!/!AM!Security!Software!on!PCs!Roadmap!Areas:!Endpoint%&%Application%Access%Security%


Recommended!Action:%%The%implementation%of%Bitdefender%Gravityzone%Endpoint%Security%on%all%

PC’s%/%Laptops.%Bitdefender%offers%best%in%class%Antivirus%and%Antimalware%with%cloud%based%

management.%%With%unparalleled%heuristic%and%performance%architecture,%offers%the%most%

suitable%and%capable%AV%solution%for%the%CRCSI.%

%


27/01/2016


4.3.5 Activate!Remote!Wipe!Dropbox!Capabilities!Roadmap!Areas:!Endpoint%&%Application%Access%Security%


Recommended!Action:%%Plan%and%implement%the%use%of%Dropbox’s%Remote%Wipe%capability.%

Including%end%user%education%on%the%use%of%this%and%it’s%purpose.%

%

4.3.6 Laptop!/!PC!Backup!to!Local!NAS!Roadmap!Areas:!Endpoint%&%Application%Access%Security,%and%Future%Considerations%


Recommended!Action:%Implement%an%automated%backup%of%relevant%Laptop%/%PC’s%when%in%the%

office.%%This%will%provide%faster%and%smoother%recovery%from%device%failure,%loss,%or%data%

corruption.%%

The%recommended%product%for%Windows%operating%systems%is%Veeam%Endpoint%Backup.%This%

Veeam%product%is%free,%supports%bitlocker%(encryption),%and%is%easy%and%flexible%to%deploy.%

%

4.3.7 Office!Backup!of!Dropbox!Data!Roadmap!Areas:!Endpoint%&%Application%Access%Security,%and%Future%Considerations%


Recommended!Action:%%Automate%a%periodic%onsite%point%in%time%snapshot%/%backup%of%all%

Dropbox%data%and%files.%This%is%suggested%to%be%done%in%conjunction%with%4.3.6%Laptop%/%PC%Backup%

to%Local%NAS.%%

%

4.3.8 Periodic!Dropbox!Administrator!Password!Change!&!Roll!Review!!Roadmap!Areas:!Endpoint%&%Application%Access%Security,%and%Security%Focused%Culture%

Timeline!/!Urgency:!!Q1%2016%and%ongoing%

Recommended!Action:%%Change%the%Dropbox%Team%Administrator%password%at%least%every%3%

months.%%Additionally%incorporating%a%3%month%periodic%review%of%role%&%folder%permission%

allocations%to%all%user%accounts.%

4.3.9 Device!Hardening!Roadmap!Areas:!Endpoint%&%Application%Access%Security,%and%Future%Considerations%


27/01/2016



Recommended!Action:%%Plan%and%implement%changes%to%harden%both%phones%and%computers%for%

staff%that%work%remotely%or%travel%away%from%the%office.%This%recommendation%does%incorporate%

other%specific%recommendations%within%this%review,%and%includes;%

• Encryption%of%phones%and%laptops%where%appropriate%

• Implementation%of%complex%passcodes%and%passphrases%

• 4.3.10%Implement%Auto%Wipe%of%Mobile%Phones%(with%Microsoft%Office%365)%

• 4.3.5%Activate%Remote%Wipe%Dropbox%Capabilities%

• 4.4.1%Application%Updates%&%Patching%

• Deactivating%Windows%File%&%Printer%sharing%where%not%necessary%

• Setting%auto%lock%to%very%short%time%limit.%

%

4.3.10 Implement!Auto!Wipe!of!Mobile!Phones!Roadmap!Areas:!Endpoint%&%Application%Access%Security,%and%Microsoft%Office%365%


Recommended!Action:%To%further%protect%data%loss%risk%in%the%event%of%lost%or%stolen%phones.%

Plan,%educate,%and%implement%the%remote%/%auto%wipe%capabilities%relating%to%mobile%phones.%

Including%the%use%of%iPhones%‘Auto%Erase’%feature%after%10%failed%attempts%and%Andriod’s%similar%

capability.%Utilise%‘Remote%Wipe’%capabilities%within%Microsoft%Office%365%‘Mobile%Device%

Management’%(MDM)%feature%set.%

%

4.3.11 Reviewing!Application!Whitelisting!and!restricting!Outgoing!Internet!Traffic!Roadmap!Areas:!Future%Considerations%

Timeline!/!Urgency:!!2017%&%2018%

Recommended!Action:%Planning%for%a%future%review%of%the%suitability%of%Implementing%application%

whitelisting%and%restricting%outgoing%Internet%traffic.%These%2%items%represent%highly%effective%

cyber%protection%measures,%and%we%suggest%considering%the%pro’s%/%cons%and%expense%and%also%

the%potential%exposure%to%the%CRCSI%in%the%future.%%


27/01/2016


Note:%The%implications%of%changing%or%controlling%this%are%both%expensive%and%onerous.%Also%

whilst%utilizing%the%Melbourne%University%network%and%internet%services,%the%restriction%of%

outgoing%internet%traffic%potentially%not%possible.%%

%

4.4 Systems&and&Applications&Recommendations&

4.4.1 Migration!to!Office!365!for!Email!&!Contact!Management!

Roadmap!Areas:!Migrating%to%Office%365%


Recommended!Action:%As%discussed%in%the%Strategic%Roadmap%Summary,%this%recommendation%

delivers%a%range%of%benefits%and%addresses%a%number%of%existing%issues.%%The%CRCSI%may%be%eligible%

for%Microsoft’s%Not%For%Profit%Donation%that%results%in%highly%discounted%rates%for%Microsoft%Office%

365.%Please%refer%to%the%Strategic%Roadmap%Summary%for%additional%information%relating%to%this%

recommendation.%

%

4.4.2 Application!Updates!&!Patching!

Roadmap!Areas:!Endpoint%&%Application%Access%Security%


Recommended!Action:%Implement%a%process%for%identifying%software%updates%and%security%

patches%relating%to%PC’s%and%Laptops,%in%addition%to%a%process%for%ensuring%they%are%applied%in%a%

timely%and%consistent%fashion.%This%recommendation%would%be%suitably%incorporated%into%the%

scope%of%4.2.5!Technical!Support!Escalation!Process!&!Partnership*

%

4.4.3 Review!Group!Collaboration!Requirements!

Roadmap!Areas:!Future%Consideration%


Recommended!Action:%The%issues%identified%relating%to%the%use%of%collaboration%and%group%

communication%tools%would%benefit%from%a%review%of%CRCSI%requirements%and%possible%

improvements%to%increase%productivity%and%efficiency.%Many%products%are%available%to%provide%


27/01/2016


improved%group%collaboration%and%communication%incorporating%live%document%editing,%voice%&%

video%conferencing,%screen%sharing%and%presenting.%%If%the%CRCSI%are%eligible%for%Microsoft%Office%

365%Non%Profit%pricing,%the%suite%of%collaboration%and%conferencing%tools%may%be%highly%

favourable%and%should%be%considered.%

%

4.4.4 Evaluate!Cloud!Based!Financial!System!



Recommended!Action:%Inline%with%the%broader%trend%of%moving%all%core%services%to%cloud%based%

systems,%the%existing%Tensia%equipment%and%service%is%recommended%for%review.%At%present%the%

system%is%only%available%within%the%office,%and%whilst%provided%as%a%managed%service,%is%dependent%

on%the%physical%server%located%in%the%office.%Cloud%based%accounting%/%financials%provide%flexible%

and%feature%rich%alternatives%that%will%provide%the%CRCSI%with%additional%flexibility%and%potentially%

increased%efficiencies%with%existing%accounting%/%accounts%processes.%%

%

4.4.5 CRM!Project!

Roadmap!Areas:!CRM%Project,%and%Future%Consideration%


Recommended!Action:%As%discussed%in%the%Strategic%Roadmap%Summary,%this%recommendation%

delivers%a%range%of%benefits%and%addresses%a%number%of%existing%issues.%%Please%refer%to%the%

Strategic%Roadmap%Summary%for%additional%details%relating%to%this%recommendation.%

%

4.4.6 Network!Strategy!Post!Melbourne!University!


Timeline!/!Urgency:!!2017%

Recommended!Action:%As%the%CRCSI%plans%for%the%transition%to%a%private%equity%organization,%the%

future%arrangements%for%alternative%premises%may%not%include%the%use%of%existing%Network%

services%provided%by%Melbourne%University.%%We%recommend%that%the%CRCSI%budget%and%plan%for%

this%change.%Including%also%a%review%of%the%business%requirements%and%ideals%in%order%to%influence%


27/01/2016


selection%of%premises%to%include%the%ability%and%cost%effective%access%to%high%capacity%Internet%

services.%The%planning%of%the%Network%Strategy%should%incorporate;%

• Internet%capacity%requirements%and%ideals%

• Network%infrastructure%including%LAN%&%WLAN%

• Boundary%Security%requirements%and%related%Security%Infrastructure%

• Telephony%and%Video%functional%requirements%

• Project%ownership%and%relocation%plans%

%

4.4.7 Remote!Access!to!GIS!Data!



Recommended!Action:%At%present%access%to%the%GIS%data%sets%at%the%CRCSI%are%only%available%

when%in%the%office,%or%with%the%use%of%portable%disk%drives%to%transport%partial%data%sets%only.%This%

creates%inefficiencies%at%times%and%also%results%in%increased%management%and%tracking%of%data%

locations.%We%recommend%that%in%conjunction%with%recommendation%4.4.8%Corporate!File!

Systems!and!Non!GIS!Data!below,%the%CRCSI%considers%a%review%of%the%ideals%relating%to%the%

management,%protection,%and%housing%of%the%GIS%Data%with%a%view%to%review%Australian%based%

cloud%services.%%This%would%provide%increased%capabilities%relating%to%

• Accessing%cloud%computing%capacity%for%short%term%very%high%processing%requirements%

when%running%data%analysis%and%modeling.%%

• Geographic%redundancy%of%data%between%Melbourne%&%Sydney%

• Access%to%the%data%when%at%partner%locations,%in%addition%to%flexible%&%granular%

collaboration%and%3rd%party%access%when%appropriate%

%

4.4.8 Corporate!File!Systems!and!Non!GIS!Data!



Recommended!Action:%We%recommend%the%CRCSI%review%whether%Dropbox%meets%the%security%

needs%of%the%CRCSI%based%on%the%flexibility%of%folder%permissions,%and%the%issue%of%data%


27/01/2016


sovereignty.%The%CRCSI%should%consider%whether%Australian%located%Microsoft%Azure%(or%similar)%

services%are%more%suitable%for%it’s%business%needs%and%it’s%strategic%objectives.%As%mentioned%

above,%this%recommendation%and%review%would%be%suitable%to%perform%in%conjunction%with%

recommendation%4.4.7!Remote!Access!to!GID!Data%


27/01/2016

CRCSI%Information%Technology%Strategic%Roadmap%–%January%2016% of 54%

5 Annex&1&(&Recommendations&Matrix&

Ref& Specific&Recommendation& Strategic&Roadmap&Area& Suggested&

Timeline&

Implement

ation&Effort&

Exposure&&&

Importance&

Impact&&&

Relevance&

! Policy'and'Culture'Recommendations' ' ! ! ! !4.1.1& Password!and!Password!Management!Policy! Endpoint!&!Application!Access!Security! Q1!2016! Low! High! High!4.1.2& Personal!Mobile!As!Primary!Phone! Endpoint!&!Application!Access!Security! Q1!2016! Low! Med! Med!4.1.3& Update!Personal!Device!Usage!Policy! Endpoint!&!Application!Access!Security! Q1!2016! Med! Med! Med!4.1.4& Creating!Security!Focused!Culture! Security!Focused!Culture! Q1!2016!+! Med! Med! Med!4.1.5& Insurance!Requirements!of!Data!Management! All! Immediate! Low! Med! Low!4.1.6& Define!Policy!on!Data!Management!and!Storage! N/A! Q1/2!2016! Low! Low! Med!4.1.7& Review!Source!Code!Management! Endpoint!&!Application!Access!Security! Q1!2016! Low! Med! Low!4.1.8& ISO!Standard!27001!–!Guiding!Principals! Future!Considerations! Q3!2016!+! Med! Low! Med!4.1.9& Research!Data!and!Project!Review!Data! Future!Considerations! Q3!2016!+! Low! Med! Low!4.1.10& Document!Sensitivity!Rating! Security!Focused!Culture! Q1!2016! Low! Low! Low!! Process'&'Capability'Recommendations' ' ! ! ! !4.2.1& New!Systems!or!Applications!Process! Future!Considerations! Q3!2016! Low! Low! Med!4.2.2& New!Equipment!Purchasing!Process! Future!Considerations! Q1/2!2016! Low! Low! Low!4.2.3& New!Staff!Entry!&!Exit!Process! Future!Considerations! Q2!2016! Low! Low! Med!4.2.4& Increased!End!User!Education!&!Training! Future!Considerations! Q1/2!2016! Med! Low! Low!4.2.5& Technical!Support!Escalation!Process!&!Partnership! Endpoint!&!Application!Access!Security! Q1!2016!+! Med! Low! Med!4.2.6& Creation!of!Local!PC!Administrator!On!All!Computers! Future!Considerations! Q2!2016! Med! Low! Low!4.2.7& Increased!Clarity!on!Defined!Applications!For!Use! Future!Considerations! Q3!2016! Low! Low! Low!4.2.8& Contact!List!Management! Migration!to!Office!365! Q2!2016! Med! Low! Low!4.2.9& Product!Development!and!Management! N/A! ! n/a! n/a! n/a!! Data'Protection'Recommendations' ' ! ! ! !4.3.1& 2!Step!Verification!/!Authentication!for!Dropbox! Endpoint!&!Application!Access!Security! Q1!2016! Med! High! High!4.3.2& Review!Dropbox!Folder!Permissions! Endpoint!&!Application!Access!Security! Q1!2016! Low! Med! Med!4.3.3& Implementation!of!Complex!Phone!PIN!/!Passcodes! Endpoint!&!Application!Access!Security! Q1!2016! Low! Med! Med!4.3.4& Bitdefender!AV!/!AM!Security!Software!on!PCs! Endpoint!&!Application!Access!Security! Q1!2016! Med! High! High!


27/01/2016


4.3.5& Activate!Remote!Wipe!Dropbox!Capabilities! Endpoint!&!Application!Access!Security! Q1!2016! Low! Med! Med!4.3.6& Laptop!/!PC!Backup!to!Local!NAS! Future!Considerations! Q2!2016! Med! Low! Med!4.3.7& Office!Backup!of!Dropbox!Data! Future!Considerations! Q2!2016! Low! med! Low!4.3.8& Periodic!Dropbox!Administrator!Password!Change!&!

Roll!Review!Endpoint!&!Application!Access!Security! Q1!2016!+! Low! High! Low!

4.3.9& Device!Hardening! Endpoint!&!Application!Access!Security! Q2!2016! Med! Med! Med!4.3.10& Implement!Auto!Wipe!of!Mobile!Phones! Migration!to!Office!365! ! Low! Med! Low!4.3.11& Reviewing!Application!Whitelisting!and!restricting!

Outgoing!Internet!Traffic!Future!Considerations! 2017!+! High! Low! Low!

! Systems'and'Applications'Recommendations' ' ! ! ! !4.4.1& Migration!to!Office!365!for!Email!&!Contact!

Management!Migration!to!Office!365! Q1!2016! High! Med! High!

4.4.2& Application!Updates!&!Patching! Endpoint!&!Application!Access!Security! Q1!2016! Med! Med! Med!4.4.3& Review!Group!Collaboration!Requirements! Future!Considerations! Q3!2016! Med! Low! Low!4.4.4& Evaluate!Cloud!Based!Financial!System! Future!Considerations! Q4!2016! High! Low! Med!4.4.5& CRM!Project! CRM!Project! Q2/3!2016! High! Med! Med!4.4.6& Network!Strategy!Post!Melbourne!University! Future!Considerations! 2017!+! High! Med! Med!4.4.7& Remote!Access!to!GIS!Data! Future!Considerations! Q2/3!2016! High! Low! Med!4.4.8& Corporate!File!Systems!and!Non!GIS!Data! Future!Considerations! Q2/3!2016! High! Low! Med!!

!


27/01/2016


6 Annex&2&–&Department&of&Defence&CSOC&–&Top&35&Strategies&to&Mitigate&Targeted&Cyber&Intrusions&

This!list!as!published!by!the!Department!of!Defence,!updated!Feb!2014!and!how!the!existing!CRCSI!infrastructure!and!services!perform.!

Ranking& Mitigation&Strategy& Current&

Compliance&

Service&

Realm&

Planned&

Compliance&

Roadmap&Reference/&Note&

1& Application!Whitelisting! No! CRCSI! No! Future!Consideration!

2& Patch!Applications! No! CRCSI! Yes!Endpoint!&!Application!Access!Security!

3& Patch!Operating!System!Vulnerabilities! MU!_!Yes! CRCSI!&!MU! Yes!Endpoint!&!Application!Access!Security!

4& Restrict!Administration!Privileges! MU!_!Yes! CRCSI!&!MU! No! Not!planned!for!CRCSI!

5& User!application!Configuration!Hardening! Unknown! CRCSI! Yes!Endpoint!&!Application!Access!Security!

6& Automated!dynamic!analysis! MU!_!Yes! CRCSI!&!MU! Yes!Endpoint!&!Application!Access!Security!

7& Operating!system!generic!exploit!mitigation! No! CRCSI! No! Not!planned!for!CRCSI!

8& Host_based!Intrusion!Detection/Prevention! No! CRCSI! Yes!Endpoint!&!Application!Access!Security!

9& Disbale!local!administrator!accounts! No! CRCSI! No! Not!planned!for!CRCSI!10& Network!segmentation!and!segregation! Yes! MU! ! !11& Multi_factor!authentication! No! CRCSI! Yes! Office!365!&!Dropbox!planned!12& Software!based!application!firewall! Yes! MU! ! !13& Software!based!application!firewall!_!blocking!outgoing!traffic! No! MU! No! MU!defined!network!function!

14& Non_persistent!virtualised!sandbox!trusted!operating!environment! No! CRCSI! Yes!Endpoint!&!Application!Access!Security!

15& Centralised!and!time_synchronised!logging! No! CRCSI! No! Not!planned!for!CRCSI!16& Centralised!and!time_synchronised!logging!network!events! Yes! MU! ! !17& Email!content!filtering! Assumed!Yes! Google! Yes! Migrating!to!Office!365!18& Web!content!filtering! Yes! MU! ! !


27/01/2016


19& Web!domain!whitelisting!for!all!domains! No! MU! No! MU!defined!network!function!20& Block!spoofed!emails! Assumed!Yes! Google! Yes! Migrating!to!Office!365!21& Workstation!and!server!configuration!management! No! CRCSI! No! Not!planned!for!CRCSI!

22& Antivirus!Software!running!heuristics! No! CRCSI! Yes!Endpoint!&!Application!Access!Security!

23& Deny!direct!internet!access!from!workstations! No! MU! No! MU!defined!network!function!24& Server!application!configuration!hardening! N/A! ! ! !

25& Enforce!strong!passphrase!policy! No! CRCSI! Yes!Endpoint!&!Application!Access!Security!

26& Removable!and!portable!media!control! No! CRCSI! No! Not!planned!for!CRCSI!27& Restrict!access!to!Server!Message!Blocking!and!NetBIOS! No! CRCSI! No! Not!planned!for!CRCSI!28& User!Education! No! CRCSI! Yes! Security!Focused!Culture!

29& Workstation!inspection!of!Microsoft!Office!files! Unknown! CRCSI! Yes!Endpoint!&!Application!Access!Security!

30& Signature!based!Antivus!software! Yes! CRCSI! Yes!Endpoint!&!Application!Access!Security!

31& TLS!encryption!between!email!servers! N/A! ! ! !32& Block!attempts!to!access!websites!by!their!IP!address! No! MU! No! MU!defined!network!function!33& Network!based!Intrusion!Detection!/!Prevention! Yes! MU! ! !34& Gateway!blacklisting! No! MU! No! MU!defined!network!function!35& Capture!Network!Traffic! Yes! MU! ! !!

ASIO!>!Australian!Cyber!Security!Centre!!_!Key'Publication'>!DoD!>!Australian!Signals!Directorate!>!Cyber!Security!Operations!Centre!!

Full!document!(summary)!available!at!http://www.asd.gov.au/publications/Mitigation_Strategies_2014.pdf!

!

!


27/01/2016


!

7 Annex&3&–&Existing&CRCSI&Risk&Management&Controls&

!As!outlined!within!the!CRCSI!Risk%Management%Plan%&%Register%V1.4!(May2015)!there!are!existing!controls!in!place!that!relate!to!IT!risk!management.!!These!have!been!included!for!reference!purposes!and!provide!additional!context!regarding!findings!and!recommendations!from!the!review.!!!‘Intellectual%property%not%protected%or%not%properly%commercialised’!(Asset!Management!3.2)!has!been!identified!with!the!following!existing!controls!as;!

I IP!register!and!IP!Policy!guidelines!include!publishing!process!I Experienced!Project!leaders!I Well!documented!contracts!I Project!Leaders!manual!and!Utilisation!Plans!developed!

!Staff!geographic!dependency!on!office!location!risk!is!identified!in!‘Damage%and/or%destruction%to%business%premises%so%that%staff%are%unable%to%work%there%(business%continuity%risk)’!(Asset!Management!3.7).!Existing!controls!are;!

I adequate!insurance!policies!in!place!I Business!Continuity!Plan!reviewed!and!updated!annually!

!For!the!management!and!mitigation!of!‘Information%Technology%catastrophic%failure%and%loss%of%research%in%participants’!(Research!4.9)!are;!

I Individual!researchers!to!ensure!offsite!backup!and!computing!redundancy!I Provision!of!IT!support!and!institutional!policies!or!research!providers!I Project!Leaders!manual!

!For!the!management!and!mitigation!of!‘Information%Technology%catastrophic%failure%and%loss%of%corporate%information%(business%continuity%risk)’!(Administration!5.4)!are;!

I Daily!offsite!backup!and!computing!redundancy!I Admin!staff!located!offsite!to!ensure!offsite!backup!and!computing!redundancy!I Provision!of!IT!Support!and!institutional!policies!at!Head!Office!I Password!plan!

!For!the!management!and!mitigation!of!‘Accounting%software%failure%and%loss%of%information%(business%continuity%risk)’!(Administration!5.5)!are;!

I Software!backed!up!daily!I Commercial!grade!software!


27/01/2016


I Space!need!nonIspecialised!with!multiIlocation!options!I Outsourced!payroll!data!I Business!Continuity!Plan!and!disaster!recovery!plan!I Data!backed!up!remotely!on!a!daily!basis!using!Sage!Data!Secure!

!For!the!management!and!mitigation!of!‘External%–%Risk%of%cyber%crime%including%theft%of,%misuse%and%or%serious%damage%to%digital%records’!(Administration!5.10)!are;!

I Spam!filters,!anti!virus!software!&!firewalls!for!eImail!I Encrypted!data!transfer!and!storage!process!for!Admin!files!(stored!in!Dropbox)!and!

Accounting!files!stored!with!Sage!Data!Secure!!For!the!management!and!mitigation!of!‘Internal%–%Risk%of%cyber%crime%including%theft%of,%misuse%and%or%serious%damage%to%digital%records’!(Administration!5.11)!are;!

I Spam!filers,!anti!virus!software!&!firewalls!for!eImail!I Access!controls!on!who!can!access!corporate!files!I Exist!checklists!to!ensure!access!removed!for!staff!who!leave!I Devices!containing!(laptops!etc)!with!corporate!information!not!taken!on!overseas!

business!trips!to!certain!countries.!!For!the!management!and!mitigation!of!‘An%employee(s)%of%a%CRCSI%participant%acts%to%damage%the%reputation%of%the%CRCSI’!(External!Relations!6.5)!are;!

I Media!Protocols!in!place!I Regular!participant!surveys!conducted!to!assess!satisfaction!I Immediate!attention!by!CEO!and!executive!I Social!media!guidelines!developed!I Regular!participant!surveys!conducted!to!assess!satisfaction!

!

Strategic Roadmap January 2016...CRCSI Information Technology Strategic Roadmap January 2016...

Documents

Transcript of Strategic Roadmap January 2016...CRCSI Information Technology Strategic Roadmap January 2016...