New Validation From Australia’s Federal Regulators Gives EIC Customers Even Greater Peace of Mind
Modern business operations rely on security vendors to ensure the safety of applications, data, and infrastructure in the cloud. But before entrusting them with their entire operation, how can customers ensure that their security vendor meets top industry standards?
IRAP provides the framework to endorse individuals from the private and public sectors to provide cyber security assessment services to the Australian government. We’re proud to announce that Saviynt successfully completed its rigorous assessment, confirming our Enterprise Identity Cloud (EIC) at the “Protected” level.
The IRAP assessment provides a path for Saviynt to work with the Australian government and opens the door for us to provide intelligent identity and access governance solutions to Australian federal, state, and local government agencies. The assessment assures that we’re investing resources correctly to ensure the data of entire governments — and organizations like yours — are fully protected from unauthorized access.
Short on time? Watch our 2-minute takeaway on the IRAP assessment
How The IRAP Assessment Works
The Australian Cyber Security Centre (ACSC) monitors global cyber threats and leads the government’s efforts to make Australia the most secure place to connect online. It administers assessments under the new, post-CCSL Cloud Security Guidance outlined in the Anatomy of a Cloud Assessment and Authorisation guidance from the ACSC.
For the assessment, Saviynt engaged an ACSC-accredited IRAP assessor, Anchoram Consulting, who examined the security controls and processes used by Saviynt’s entire IT operations team. This included our physical data centers, intrusion detection, cryptography, cross-domain and network security, access controls, and information risk management of all in-scope services.
As anyone who has prepared for one knows, federal audits are time-consuming and documentation-intensive. For security vendors undergoing an IRAP assessment, the process takes twice as long and the examination — covering almost 400 separate controls — is comprehensive, demanding, and holistic.
In August 2022, independent assessors completed a comprehensive review of how we approach threat management (detection and prevention) and how we transition from event to incident to final remediation. They examined how we keep our people, processes and technologies updated and in top fighting form, as well as how effectively different teams communicate with each other on the backend. From deployments to patches to vulnerability management, assessors evaluated all aspects of Saviynt operations with a fine-tooth comb.
IRAP Assessment Specs and Findings
The risk management framework used by the Australian Government Information Security Manual (ISM) draws from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37 Rev. 2. Within this framework, risks and security control selection can be identified using standards such as International Organization for Standardization (ISO) 31000:2018, Risk management Guidelines.
The ISM risk management framework has six steps:
- Define the system
- Select security controls
- Implement security controls
- Assess security controls
- Authorize the system
- Monitor the system
Endorsed IRAP assessors provided an independent evaluation of Saviynt’s ICT security and found that our system architecture is based on sound security principles, the appropriate ISM controls are in place, and are fully effective within our assessed services.
This IRAP assessment of Saviynt’s services and cloud operations helps assure public sector customers and their partners that Saviynt has the correct security controls in place for processing, storing, and transmitting data classified up to and including the level of “Protected.” This milestone should provide confidence to anyone wanting to take advantage of the full breadth of the Saviynt Enterprise Identity Cloud.
As the world moves toward cloud adoption, the private and public sectors need validated solutions that can safeguard privacy and data. Collaboration between regulators and vendors is critical to building strong defense. This is why Saviynt will be participating in the IRAP biennially to ensure we are continually growing.
