Skip to content

Security

Overview¤

AUCyber is an Australian owned and operated Sovereign Cloud Service provider that delivers services exclusively to Australian Government, Critical National Industries (CNI) and secure enterprise organisations.

AUCyber’s core tenet is the protection of the confidentiality, integrity and availability of data: both AUCyber’s own and that entrusted to AUCyber by its customers.

AUCyber’s Information Security Management System (ISMS) is based upon a robust security framework of information security governance, policies, plans and procedures that are aligned with the Australian Government’s PSPF and ISM as well as International Standards such as ISO27001. AUCyber’s approach to security is continual assessment for a wide variety of threats and vulnerabilities that, if left unchecked, could compromise information assets or the supporting assets upon which they depend for their security.

AUCyber is IRAP certified to PROTECTED and ISO27001 certified with the scope of certification covering:

  • Development, management, operation and security of the AUCyber portal, information systems and related infrastructure.
  • Management, operation and delivery of sovereign, secure Infrastructure as a Service, Backup as a Service and Disaster Recovery as a Service.

AUCyber’s IRAP certification encompasses all operating environments, Canberra, Sydney, Brisbane and Melbourne, all which have been designed to meet or exceed PROTECTED level ISM controls.

Community Rules Information Security Policy (CRISP)¤

To be part of the AUCyber community, customers must agree to abide by AUCyber’s Community Rules Information Security Policy (CRISP) which is signed by the customers CIO or CISO prior to commencement. The CRISP is the formal, top-level security document which identifies those aspects of the cloud service that are the responsibility of the AUCyber CISO and those that are within the remit of the data-owning customers CIO/CISO.

All AUCyber partners and customers using Sovereign Cloud environments must comply with AUCyber’s Community Rules Information Security Policy (CRISP).

AUCyber’s CRISP dictates the behaviours and practices of the ‘cloud community’. It sets out our responsibilities as well as the responsibilities of our partners/customers to eliminate any operational or process weakness. This delivers both superior security controls for individual partners/customers as well the highest level of integrity of all our cloud environments.

Users cannot be serviced in AUCyber if they do not explicitly agree to the CRISP. Further, no remote support is enabled for uncleared personnel for any service hosted by AUCyber.

AUCyber’s CRISP ensures all our users benefit from increased security across the whole community.

Essential 8¤

AUCyber has implemented the Essential Eight Strategies to Mitigate Cyber Intrusions to a minimum of Maturity Level 2. Additional ACSC advice and strategies to mitigate cyber security incidents are implemented using a risk-based approach to the AUCyber security program.

SOC¤

AUCyber infrastructure and supporting services are monitored by a 24/7 Security Operation Centre (SOC). The SOC provides proactive cyber threat monitoring of AUCyber’s internal networks as well as the perimeter protection of all AUCyber customers.

The Security Operations Centre:

  • monitors, logs and analyses all cyber traffic on a continuous basis
  • provides near real-time cyber monitoring, triage, analysis and incident response
  • enables cyber threat intelligence at scale
  • conducts vulnerability scanning to ensure an enhanced cybersecurity posture