InfoGovANZ

Information Governance Think Tank

Cyber & Info Security

Shaping a Layered Approach to Cybersecurity in Australia

by

“We shape our buildings; thereafter they shape us,” – Winston Churchill.

At Relativity, we believe in shaping our security posture in layers so it will continue to grow and better adapt to the needs of the market, the threat landscape, and our customers around the world.

In the APAC market specifically, our Calder7 threat intel team believes the region will continue to be a hotbed for attacks from a variety of Ransomware-as-a-Service and nation state threat actors, not to mention recent customer-facing breaches. One other persistent threat facing organizations across the globe, and particularly in APAC, is Zero-Day Vulnerabilities like the Log4Shell Vulnerability. These types of threats are concerning due to their growing scope and usage by threat actors. In April 2022, Google’s Project Zero reported that last year, the number of zero-day vulnerabilities detected and disclosed had more than doubled to 58 “in-the-wild 0-days”; 2022 is closely tracking a similar trajectory.

The constant influx of current and future threats makes the need to use secure, public cloud software much more important for businesses looking to do their work with the peace of mind that their most confidential data is secure.

One new validation of our security posture that we’re particularly proud of at Relativity is the announcement that Relativity has achieved the Infosec Registered Assessors Program (IRAP) assessment against ‘PROTECTED’ controls for our Australian cloud offering, RelativityOne. This means that RelativityOne now meets the high standard needed for security postures in technology systems used by a variety of Australian governmental agencies. For us, taking on this assessment was about building a high standard of assurances throughout our part in the legal supply chain so Australia’s public sector and anyone else dealing with high value and protected data can feel confident in where their data resides, despite an evolving threat landscape.

 

Building a skyscraper, or even a single-family home, requires a strong foundation. There are many paths to creating strong security foundations. Certifications are one of the most visible foundations for our customers. Our certification foundation at Relativity and its security posture includes many pillars: Relativity is ISO/IEC 27001:2013 certified and SOC 2, Type II; IRAP assessed, and many more. Achieving these pillars and keeping them up to date can be taxing, but it means that our foundation is strong and resilient against bad actors; additionally, it means that we can be adaptable and able to meet the needs of a variety of global customers and industries.

To achieve a new certification or assessment – in IRAP’s case – you need close collaboration between a variety of teams along with a significant commitment of time and resources. For IRAP, this meant close collaboration with over 12 teams across a variety of time zones over a period of several months, along with numerous evidence submissions, documentation updates, and walkthrough assistance with our 3rd party auditors.

The goal of all of this is to show that RelativityOne adheres to IRAP’s more than 700 security controls through an extensive review conducted by a 3rd party auditor. During the formal assessment, the auditors looked to find any security weaknesses in our SaaS product as listed by the controls and ensured that we adhere to their specific list of rules and regulations that allow us to handle sensitive data in the region.

 

In many ways, the assessment was like a house inspection. The inspector looked to ensure all of the doors in RelativityOne were properly locked, windows were working, furnace was functional, piping and electrical ran correctly, and everything in between. Basically, they assessed – is your product a fortress that is highly protected from even the greatest threats or is it a standard house with a few security gaps that could allow a bad actor unwanted access. The gap in controls between the standard house and a fortress is large and hard to achieve, but that’s what it takes to meet the standards of the IRAP assessment.

After the assessment, we can confidently say that RelativityOne securely supports Australian government data in a cloud environment classified up to the PROTECTED threshold, which is a vital security threshold for many of these agencies.

Providing best-in-class security is an ongoing process that requires a particular combination of the right people, processes, and technology to be successful. While IRAP shows RelativityOne has now completed its latest ‘home inspection,’ there’s always more to be done to establish resilience against cyber threats. Having people on the ground locally can be critical for intimately understanding the environments you’re operating in. This led us to add our first cybersecurity analyst in Australia to further bolster our home’s protective forcefield, adding to the highly skilled Calder7 global security crew of over 50 engineers, analysts, and subject matter experts tasked with protecting customer data from getting into the hands of bad actors.

Another important element is having partners you can rely on to add to your layers. Perhaps the most important partner for us is Microsoft. Relativity built RelativityOne on the shoulders of Microsoft’s Azure infrastructure and security experience and continue to work in close partnership with the tech leader. Relativity has also been a member of Microsoft’s Intelligent Security Association (MISA) since 2020, an ecosystem of independent software vendors and services that have integrated their security products and services with Microsoft’s, and recently received the award for Security Independent Software Vendor of the Year at Microsoft’s 2022 Security Excellence Awards. Once we’ve established deep relationships with our security partners, we can exponentially increase the layers of protection of both our company and our product, and in turn provide the benefit of an increased level of security and intelligence for anyone who chooses to partner with us.

 

Finally, and not to be overlooked, are the innovations we can create in the product itself to help our customers keep their teams more secure. One additional way we’ve expanding our global approach to security is through the rollout of the RelativityOne Security Center, which is a homegrown, free to use application, built by Calder7, aimed at increasing the security posture of our customers by giving them the direct ability to drive security actions and monitor alerts directly from the app. Alongside the enablement of mass force two factor authentication, one of the other cool features of the tool is the automated log-in map of sign-geographies it provides, giving customers direct lines of sight into who is accessing their application, where they’re coming from, when they accessed it, and the ability to disable or delete inactive users when needed. Security Center is just another tool that empowers our customers to get the most out of their security in RelativityOne.

Moving forward, we will continue to look for new ways and opportunities to ensure Relativity’s security fortress remains secure, no matter the region or circumstance. Successful security postures need maintenance – you need to do annual assessments, home improvements, and daily maintenance to ensure your windows are locked, your doors aren’t broken, and there are no gaps for intruders to infiltrate and exploit. Much like Churchill’s famous quote, the building that we’ve created in RelativityOne’s security posture shapes our path as a company at large moving forward.

Author:

Amanda Fennell, Chief Security Officer and Chief Information Officer – Relativity

Optus Data Breach – the risks of data over – retention

by

  The Optus Data Breach incident has shed some much-needed light on the need for robust, top-down board governance over organisational data and information. It is evident that this attack has demonstrated the need for organisations to sufficiently invest in cyber-attack prevention, detection and response. While the Optus data breach is still under investigation, the consensus from government statements and external experts seems to be that that human error played a significant part in this data breach. It is not uncommon for human factors to either cause or amplify technical weaknesses resulting in a data breach, about one-third of all reported personal data breaches from OAIC’s Notifiable Data Breaches Reports are attributed to human error as the primary factor. Whether data breaches are caused by human error or technical fault, security experts widely agreed that organisations should consider data breaches a question of ‘when’ rather than ‘if’. This in turn […]
Member only content (join now)

2022 Information Awareness Month One Day Seminar

by

This year’s Information Awareness Month One Day Seminar took place at the iconic Institute Building (1861), the first public cultural building in South Australia and was also livestreamed. The theme was “Building Trust in Information” and discussions revolved around facets that we need to trust in order to have trust in information. These included trust in people, process, technology and government. The seminar opened with remarks from Geoff Strempel, Director, State Library of South Australia. As a society we are “drowning in data” and in a knowledge economy IM practitioners are the trustees of information. A huge challenge is the massive data sets that need computers and machine learning to extract patterns and interpretations, but human intellect is still required to assess the outcomes and ultimately arrive at wisdom. ML and AI also raise ethical and privacy dilemmas as technology enable computers to essentially have free reign across the data. […]
Member only content (join now)

OAIC Data Breach Notification Report

by

The Office of the Australian Information Commissioner’s (OAIC) latest Notifiable Data Breaches Report highlights how OAIC expects entities to prevent and respond to data breaches caused by ransomware and impersonation fraud. The OAIC received 446 data breach notifications from January to June 2021, with 43% of these breaches resulting from cyber security incidents. Data breaches arising from ransomware incidents increased by 24%, from 37 notifications in the last reporting period to 46. Read the latest report here.
Member only content (join now)

Trust & Information Insights – Sarah Auva’a

by

As we put 2020 behind us and look forward to 2021, we reflected in an interactive virtual discussion forum on the key IG learnings from the past 12 months and the insights and actions we now need to be taking to make the most of the opportunities and challenges on the road to recovery in 2021. We’ve seen the different ways governments have responded to the COVID-19 pandemic and the results in managing the pandemic. Similarly, organisations have had to adapt to the changes and, in particular, to faster digital transformation. Robust governance of organisations and of information has never been so important. Increased cyber risks and the importance of access to real-time and accurate data for decision-making, both at the board level and throughout the organisation, are now critical issues. In the world of data privacy, unfortunately trust and confidence in the way that organisations use data was already […]
Member only content (join now)

Cyber Risk Management and the Value of Cyber Insurance

by

The technology revolution has created unprecedented developments in the way that business is transacted, how information is obtained, how we communicate with each other and how data is sourced and stored. The reality of these developments has also lead to unparalleled increases in the ability of criminals to act in a digital environment rather than in the physical world and cyber crime has never been more financially rewarding. Cyber risk and cyber exposure exists for every business that uses technology and connects to any form of information systems and networks. Size of business, industry factors and reliance on technology for critical operations can increase cyber risk vulnerability, but no business is immune.  Managers are faced with the challenge of protecting against cyber risk and implementing strategies and procedures to safeguard against the potential loss and damage suffered in a cyber event. Cyber risk management is a holistic approach to evaluating […]
Member only content (join now)

Cybersecurity & IG Insights – Dr Peter Chapman

by

As we put 2020 behind us and look forward to 2021, we reflected in an interactive virtual discussion forum on the key IG learnings from the past 12 months and the insights and actions we now need to be taking to make the most of the opportunities and challenges on the road to recovery in 2021. We’ve seen the different ways governments have responded to the COVID-19 pandemic and the results in managing the pandemic. Similarly, organisations have had to adapt to the changes and, in particular, to faster digital transformation. Robust governance of organisations and of information has never been so important. Increased cyber risks and the importance of access to real-time and accurate data for decision-making, both at the board level and throughout the organisation, are now critical issues. Our expert panel included InfoGovANZ Advisory Board member Dr Peter Chapman who brings expertise in cybersecurity and Information Governance. […]
Member only content (join now)

OAIC Data Breach report: January – June 2020

by

The Office of the Australian Information Commissioner (OAIC) has released its Notifiable Data Breaches (NDB) Report for January to June 2020. Malicious or criminal attacks remain the leading cause of data breaches involving personal information in Australia.    Commissioner Angelene Falk said,  'this trend has significant implications for how organisations respond to suspected data breaches — particularly when systems may be inaccessible due to these attacks. It highlights the need for organisations to have a clear understanding of how and where personal information is stored on their network, and to consider additional measures such as network segmentation, robust access controls and encryption.' In other findings: Health service providers continued to be the top reporting sector (115 notifications), followed by the finance and education sectors, and the insurance industry making the top 5 sectors for the first time. The number of notifications resulting from social engineering or impersonation has increased by 47%. Actions taken by […]
Member only content (join now)

Information Security Risk Management Practitioner Guide – OVIC

by

The Office of the Victorian Information Commissioner (OVIC) issues security guides to support the Victorian Protective Data Security Standards (VPDSS). This document provides organisations with guidance on security risk management fundamentals to enable them to undertake a Security Risk Profile Assessment (SRPA) as required under s89 of the Privacy and Data Protection Act 2014(PDP Act) and is designed to support practitioners and information security leads.
Member only content (join now)

Information Governance + COVID-19 Roundtable Report

by

To celebrate Information Awareness Month (IAM2020) and Privacy Awareness Week (PAW2020), we kicked off with an online panel discussion on the myriad of Information Governance issues arising from the COVID-19 pandemic. Our panellists included – Melanie Marks, Christopher Colwell,  Sonya Sherman, Dr Peter Chapman, Matthew Golab and the discussion was facilitated by Susan Bennett.  The importance of connectivity and of access to trusted information, the role of fit for purposes systems to capture records during a crisis and accountability for decisions made during the pandemic period were all highlighted. Discussion around the COVIDSafeApp emphasised that privacy by design and governance of data are key for user trust.  A key focus of the discussion were increased information security and cybersecurity risks with the move to working from home.  These include the risks of data leakage, data breach, shadow IT and cyber-crimes. In summary, the discussion emphasised that the myriad of information, records, […]
Member only content (join now)

Broken Trust – The Information Security Dangers of Insider Threats

by

  The increasing awareness of external cyber-security threats has executives focused on how their organisation can be defended against the “enemy at the gates”. But are organisations just as much at risk from an “enemy within”? In this article Dr Peter Chapman, Director in the Ferrier Hodgson Forensic Technology and eDiscovery team and InfoGovANZ advisory board member, provides an opinion and case study on insider threat. The media provides us with constant reminders of the threat of cyber-criminals and other external attackers. Recent legislative and regulatory changes such as the European Union GDPR requirements and mandatory breach notification amendments to the Australian Privacy Act have only increased our awareness, specifically with regards to ensuring that personally identifiable information (PII) in the possession of the organisation is safeguarded. While PII data is undoubtedly a target of external attackers, and external threats must be guarded against, organisations may be overlooking significant insider […]
Member only content (join now)

Information Security & Information Governance – how they work together

by

Information (data) security, cybersecurity and IT security all usually refer to the protection of computer systems and information assets by suitable controls, such as policies, processes, procedures, organizational structures and software and hardware functions. The type and extent of controls depends on the scope and maturity of the business function (usually the Security Department) applying the controls, or, depends on the specialisation/focus of the team, such as Perimeter/Firewall or Identity Management. Each function tends to have a different perspective of information security, compared to other functions, due to their focused specialisation. A close parallel is the health profession. You see a GP doctor when unwell, and are referred to a specialist who knows much more than your GP about a particular field of expertise. I know that my GP would not want to perform open heart surgery at all. And equally, a heart specialist would not have up-to-date and practical […]
Member only content (join now)

Cyber Insurance: how it works and the benefits of Information Governance

by

  As the number and size of cyber attacks on businesses continues to increase, the risk of experiencing a data breach is higher than ever. The resulting cost of these breaches can be significant – according to the Ponemon Institute’s 2017 Cost of Data Breach Study, these totalled $2.51 million per year across the organisations that were recruited for the research. As a result, an increasing number of organisations are choosing to invest in a cyber insurance policy, which allows them to claim cyber incident response expenses, regulatory fines, legal defence costs and business interruption losses. In other words, offset the cost of a potential data breach. This article outlines the benefits of cyber insurance and explains why, in today’s digital age, it is vital for organisations to invest in this class of insurance, in addition to understanding the information governance obligations that their insurance policy places on them. What […]
Member only content (join now)