Case Studies

The Australian Health Service Alliance (AHSA) is a service company that represents more than 75% of the nation’s private health insurance funds. Established in 1994, the AHSA enables funds to pool resources and respond more effectively to the changes occurring in the private health industry.

AHSA provides a portfolio of services for its members including management of healthcare provider relationships, negotiation of contracts, data analysis and provision of educational services and training. The Alliance operates from a headquarters in Melbourne and has 40 staff.

The importance of security

In the course of providing services to health insurance funds, AHSA handles considerable volumes of sensitive data. This includes records of patient visits to hospitals together with details of the treatments provided.

As a result, there is a heightened need to ensure this data is stored securely and is not prone to misuse or theft. According to AHSA Chief Information Officer Glen Mclean, this task was becoming more complex as the nature and volume of cyber threats increased.

“In early 2017, our existing IT security partner unexpectedly closed its doors, leaving us without access to expert support or advice,” he says. “This forced us to go to the market in search of a new provider.”

Finding a new partner

After carefully reviewing a range of alternatives, a decision was made to establish a relationship with CQR. Mclean says the firm’s CREST accreditation, together with its considerable experience and deep technical knowledge, made it stand out in the marketplace.

“As a first step, CQR undertook a familiarisation review of our operations to fully understand the security tools and processes we had in place and identify any risks that needed to be addressed,” he says. “They then conducted penetration testing of our website and underlying IT systems to ensure our protective measures were sufficiently robust.”

The next step was to review AHSA’s business continuity and disaster recovery plans. Senior management wanted to be confident that, should a cyber attack occur, any impact to operations could be avoided or minimised.

“We hadn’t previously had a comprehensive plan in place and so CQR worked to create a detailed checklist of the steps we would need to follow in the event of an incident,” says Mclean. “Potential scenarios covered include a denial of service attack, loss of data through hacking and an incident of ransomware.”

Undertaking staff education

Another element of the security evaluation process was the staging of an educational seminar for all AHSA staff. CQR created a presentation that highlighted the potential security risks faced by the organisation and the role each staff member could play to avoid incidents occurring.

“The seminar was very comprehensive and we received positive feedback from all participants,” says Mclean. “It covered a wide range of topics including everything from dealing with suspicious email attachments to the risks associated with using unfamiliar USB keys.”

An ongoing relationship

With the initial review completed, a business continuity plan in place and staff educated about cyber security risks, Mclean says AHSA is better placed to withstand any problems that might arise in the future.

“We are now much more prepared to respond to any problems, whereas in the past we might have found ourselves floundering just a bit,” he says. “We have also put in place an incident response agreement with CQR so we know they will be available to assist us should an incident occur.”

Mclean says CQR remains a valuable partner who can provide ongoing guidance and support to the organisation on every aspect of IT security.

“We are in the business of providing support to insurance companies, and our relationship with CQR is like an insurance policy for our cyber security – it gives us a great sense of confidence.”

As one of Australia’s leading utility companies, Jemena owns and operates a diverse collection of energy and water transportation assets across the nation. The company delivers gas, electricity and water services to millions of domestic and business customers via pipelines and networks valued at more than $10.5 billion.

Jemena’s Australian infrastructure includes a range of assets including an 11,000km-long electricity network in Victoria, a 25,000km gas network in New South Wales and gas pipelines in both Queensland and a second pipeline connecting Victoria’s Gippsland Basis to Sydney. Jemena is jointly owned by the State Grid Corporation of China and Singapore Power.

Securing operational technology assets

As a utility company, Jemena is heavily reliant on the SCADA systems that monitor and control its numerous networks. Data generated by these operational technology (OT) systems is relayed to the company’s data centres in New South Wales and Victoria and processed by a fleet of 70 servers and 30 workstations.

“Having effective security in place is vital to ensure we are able to meet the needs of our customers at all times,” says Calvin Li, Jemena’s SCADA Security Engineer. “If any problems occurred in our control systems it could cause disruption to our customers.”

To ensure the security mechanisms and methods in place were the best possible, a decision was taken in early 2017 to attain internationally recognised ISO27001 certification. “We knew we had a range of security elements in place but we wanted to be sure they were operating together as a cohesive whole,” says Li. “Also, as there is no recognised security framework for operational technology, we felt ISO 27001 would be the best fit for us.”

Assessing the gaps

As a first step in the compliance process, the Jemena security team undertook a gap analysis designed to determine where any weaknesses might exist. This involved a thorough assessment of everything from the physical security within the data centres to the hardware and software supporting the SCADA systems.

Li says CQR’s extensive experience in the utilities sector, together with sound knowledge of what’s required to reach fully ISO 27001 compliance made the decision a simple one and work began in mid-2017.

Achieving compliance

Working alongside the Jemena security team, CQR reviewed each identified gap and advised on the steps required to close it. CQR also conducted training for team members to ensure they understood what was required to not only achieve certification but retain it in the longer term.

Work then focused on building the frameworks, strategies and workflows that would be needed to meet the requirements of IS0 27001.

“Once we believe we have undertaken all the steps, CQR will conduct an internal audit to determine whether there are still any gaps that needs to be addressed,” says Li. “We will then complete any remedial work before our final, formal audit which we are aiming to take place by October.”

Business benefits

Once ISO 27001 certification has been attained, the Jemena SCADA management team will be confident it has in place proper guidelines and best practices to ensure the highest possible security standards are in place.

“We will also have a comprehensive, documented security framework in place that all staff can follow into the future,” says Li. “Our senior management is keen to have this as a standard approach that is followed across the company.”

Li says that, because energy companies are heavily monitored by the Australian energy regulator, having compliance will be clear evidence that Jemena has taken all steps necessary to ensure the security of its critical SCADA infrastructure, and is operating in alignment with a recognised international standard.

Further benefits will be attained once the company attains compliance with the ISO55001 asset management compliance later this year. This will serve to further strengthen security and ensure Jemena is best placed to meet any future issues that might arise.

“Our challenge will then be to ensure both certifications work together as a cohesive whole and CQR is working to help make sure this happens,” says Li. “There is no point having two frameworks in place that are not tightly integrated.”

Established in 1966 as the West Australian Institute of Technology, Curtin University is a leading academic and research facility. With campuses in Perth, Kalgoorlie, Dubai, Malaysia, Singapore, and Mauritius, Curtin has more than 56,000 students. Academic faculties include business and law, science and engineering, humanities, and health sciences.

On the research front, Curtin is active in a diverse range of areas including communities and changing environments, resources and energy, IT and communication, and health.

The challenge of funding

Like all tertiary institutions with active research programs, Curtin is reliant on attracting grant funding to support its physical infrastructure and academic teams. Funding is sourced from government bodies as well as private-sector firms.

“It’s a matter of making yourself as attractive as possible for potential research partners,” says Richard Addiscott, Director IT Planning, Governance and Security at Curtin University. “We need to be constantly looking for ways in which we can ensure the University is regarded as a trusted partner and becomes the natural choice for industry, government, and other academic institutions seeking to collaborate in cutting edge research initiatives.”

To support this goal, a decision was made in early 2016 to improve the information security credentials of two of the university’s research groups: the Health Systems and Health Economics (HSHE) group within the Health Sciences Department and the Centre for Data Linkage (CDL) housed within the Centre for Population Health Research.

“My team and I saw it as critical that information security should be seen as a business enabler rather than an inhibitor which is how it’s often been viewed in the past,” says Mr. Addiscott. “To do this, we worked with the Research Office at Curtin to identify opportunities where attaining certification against the internationally recognised ISO 27001 information technology security standard would be of strategic benefit.”

Research Theme Leader for Curtin’s Health Systems and Health Economics group, Dr. Suzanne Robinson, says they were supportive of the initiative from the outset. “From a researcher perspective data governance and security is a fundamental part of our work and attracting research funding. It’s an exciting time when we consider the potential we have in relation to data and research. Having ISO27001 accreditation allows us to demonstrate our commitment to data security and provides a framework for us to assess our standards and approaches, which in turn gives confidence to our industry partners.”

A strategic approach

The first step in the process was to explain to the research groups what was involved and the benefits it would deliver. Buy-in for the project was also sought from the University’s senior executive team and funding secured.

“We also undertook a visit to Monash University in Melbourne where the certification had already been achieved,” he says. “After seeing firsthand the processes they had followed and the business benefits they had obtained, it was clear that we needed to go down the same path.”

To assist with the certification process, the Curtin information security team recognised it would only achieve their goals with proactive collaboration and assistance from their various internal stakeholder groups including time and effort from the CDL and HSHE teams.  It was also clear that they would need assistance from an experienced external partner. After reviewing a number of alternatives, an agreement was signed with CQR.

“We could see CQR clearly had the experience and expertise to help us through the certification process,” says Mr. Addiscott. “I wanted people who understood security from a risk and compliance perspective as well as a technical perspective, and CQR was able to cover both areas.”

Process phases

The first phase of the process began in early 2017 and involved a series of workshops led by the CQR team. These were designed to establish the scope of project and confirm which areas and research teams would be involved.

Mr. Addiscott says it’s important to be conservative and limit the scope for the certification environment in the first instance, and to focus on specifically defined areas. “You don’t try and eat the elephant all at once, but instead take bite-sized chunks over an extended period,” he says. “Once you have achieved certification in one area it is then easier to extend it to cover others in the future.”

The project’s second phase involved careful assessment of all the information assets that currently existed within the defined areas that were to be certified. This included everything from stored data and servers to desktop PCs, mobile devices and network infrastructure.

The team then undertook the third phase in which CQR conducted a series of risk and asset assessment workshops. All security products, services and procedures already in place were evaluated to determine whether they were providing a sufficient level of protection. Any gaps were identified and steps established to have them closed.

“At the end of the process, we had created a comprehensive Information Security Management System (ISMS) that set out all the policies and procedures needed keep the research team’s data secure at all times. This is the foundation for achieving ISO27001 compliance.”

With the ISMS complete and all security measures and procedures documented, CQR undertook a complete internal audit. Every component of the certification was reviewed to determine that the university would meet each requirement of the standard.

“A team of external auditors from SAI Global then came to the university for the formal evaluation. I am pleased to say that, thanks to the work undertaken by our IT team and CQR, we were awarded full ISO27001 compliance on our first attempt in 2017.”

An ongoing process

With the certification now in place, attention is shifting to finding other areas within the University that could benefit from following the process.

“We are also seeing a flow-on, ripple effect from the work that has been completed,” says Mr. Addiscott.  “It has led to increased security awareness and experience across Curtin’s broader IT team enabling us to set about continuously maturing our security practices across the spectrum from password management to penetration testing.”

While certification has been achieved, it is certainly not a one-time activity. Procedures and security measures must be constantly evaluated to ensure they meet the strict criteria at all times. This involves an annual review which must be passed for the ISO 27001 rating to be retained.

“CQR will continue to assist us with this process going forward,” he says. “With their proven track record of experience in providing information security services to health organisations and to educational institutions, I’m confident they will remain a valued partner to the university.”