Submission to the Guiding Principles to Embed Zero Trust Culture

Department of Home Affairs
6 Chan St
Belconnen ACT 2617

Re: Response to Consultation Paper – Guiding Principles to Embed Zero Trust Culture

Amstelveen welcomes the opportunity to provide feedback on the proposed guiding principles to embed a Zero Trust Culture across the whole of Government.

Amstelveen is a specialist risk, technology and compliance consultancy which operates across Australia and New Zealand. Our clients include public and private sector organisations which generally have a high degree of exposure to technology and cyber-related risks, such as those in government, financial services, telecommunications and energy.

In this submission, we have responded to a subset of the questions listed in the consultation paper titled “Guiding Principles to embed Zero Trust Culture”. Our response follows the review of the Zero Trust Culture principles listed in the consultation paper, and the Protective Security Policy Framework (PSPF) release in 2024.

Strengthening the Commonwealth’s overall cyber security posture and enhancing cyber fluency will establish a strong foundation for implementing effective Zero Trust infrastructure and culture. The following responses are framed using a risk-based approach, informed by insights gained from Amstelveen’s extensive experience across various industries.

Cyber Risk Management

1. In your experience, what key factors contribute to the successful identification of cyber risks across different business units? How should the Commonwealth foster and maintain collaboration among these groups?

A best practice approach involves developing a comprehensive, end-to-end view of key cyber risks by identifying and assessing threats, vulnerabilities, assets and controls within the operating environment. This approach should be conducted by each business unit while also considering the broader organisational context. It is important to recognise that each functional area may have unique strategic objectives, key business processes, regulatory requirements, compliance obligations, systems, and data. In our experience, the successful identification of cyber risks across different business units is underpinned by the following factors:

• Clear Communication and Awareness

All business units must understand the importance of cyber security and are aligned on the potential risks facing the organisation. Regular training and awareness programs should be implemented and tailored to specific roles within each business unit to help with identifying risk early and to reiterate every individual’s role in managing risk. Roles and responsibilities to facilitate this process should be clearly outlined in the appropriate risk management framework. This will provide a shared understanding of benchmarks and best practices for cyber security and risk management.

• A Centralised Risk Management Framework

A centralised risk framework aligned to industry best-practices such as ISO 27001 and NIST should be in place to provide a consistent, standardised approach to identifying, assessing, mitigating and managing cyber risks across the organisation. By adopting a standardised methodology, cyber risks are recognised not only by technology teams but also as potential risk events that can impact various business units. This approach helps quantify cyber threats by evaluating both their likelihood and potential impacts across different areas of the organisation, such as operations, finance, and people.

When supported by an effective Enterprise Risk Management (ERM) framework, this approach encourages collaboration across business units, helps everyone in the organisation understand their role in managing cyber risks, and improves the completeness of cyber risk management and how it is embedded and monitored in enterprise risk profiles. This promotes a more proactive and shared responsibility for cyber security.

• Triggers for Identifying and Monitoring Cyber Risk

Organisational frameworks for cyber risk management should facilitate a top-down and bottom-up approach to proactively identify, manage and monitor cyber vulnerabilities and threats across the organisation, considering internal and external factors.

The top-down approach involves executive leaders and senior management taking the lead in identifying possible cyber risks across the organisation. This approach focuses on setting the strategic direction for cyber security, alignment with business objectives and making informed decisions based on an assessment of risk. Executive leaders typically rely on formal risk management processes, governance frameworks, and strategic oversight to assess and address cyber risks effectively.

The bottom-up approach focuses on gathering insights and identifying cyber risks from the operational level, where systems, processes and activities are directly managed. This approach encourages the involvement of employees, system owners and teams who engage with technologies, data and infrastructure on a daily basis. It draws on the knowledge and experience of frontline teams to identify potential vulnerabilities that may not be immediately apparent to senior management.

Effective cyber risk identification should also involve an analysis of both internal and external factors that can influence an organisation’s security posture.

Internal Factors: This includes service delivery, the existing IT environment and any significant changes to the systems or business processes. For example, for projects aimed at improving existing system’s progress, organisations should remain vigilant to new risks, particularly in light of evolving regulatory or compliance requirements. Where there has been an incident, organisations should conduct a review of the root causes, lessons learned and identify any security gaps that must be addressed to prevent similar incidents from occurring in the future.

External Factors: This includes the economic climate, recent cyber incidents, and emerging threats within the industry which are crucial in shaping an organisation’s cyber risk profile.

• Continuous Monitoring and Reporting

By tracking key cyber metrics, Key Risk Indicators (KRIs) and other relevant data points, organisations can gain real-time insights into potential vulnerabilities, emerging threats, and changes in the security landscape. This ongoing monitoring allows for early detection of abnormal activities, system weaknesses, or compliance gaps, enabling prompt action to address risks before they escalate into larger issues.

Regular monitoring helps organisations stay informed about potential threats and adapt to the evolving cyber risk environment. By identifying emerging risks, organisations are able to take a proactive approach to risk management allowing these risks to be considered and assessed in a timely manner.

• Comprehensive Asset Register

A comprehensive and accurate asset register may directly support the identification and assessment of cyber threats. By understanding the full scope of assets, including their purpose, value and sensitivity, organisations can better identify potential cyber threats targeting specific assets. The asset register provides critical context for evaluating vulnerabilities and threats such as unauthorised access, data breaches and cyber-attacks, based on the asset’s role in the organisation, the type of data it holds (e.g. PII, SII) and any compliance obligations. By evaluating the likelihood and potential impact of cyber threats on each asset, the asset register becomes a key tool in identifying, mitigating and managing these risks (Kassa, 2017).

• Stakeholder Engagement and Collaboration

Engaging key stakeholders from all business units, including executive leaders and subject matter experts (SMEs), in risk management discussions is crucial for effectively identifying and managing cyber risks across the organisation. As cyber risks often emerge at the intersection of technology and business operations, involving stakeholders with in-depth knowledge of critical business processes, and IT system owners helps uncover technical and operational risks that may otherwise go unnoticed. This collaborative approach ensures that cyber risks are recognised as an enterprise-wide concern rather than isolated to individual departments.

To foster and maintain collaboration among business units, the Commonwealth should:

• Establish cross-functional forums: Form committees or working groups that include representatives from all relevant business units, so cyber security is discussed regularly and at all levels. This will help encourage meaningful discussion and collaboration across the organisation.
• Promote a cyber risk culture: Prioritise cyber security as part of Commonwealth’s core organisational culture where cyber security is integrated into decision-making processes at all levels. This means embedding cyber security discussions into regular meetings and making sure business units are aware of the risks they face and their role in managing them.
• Regular feedback loops: Conduct regular reviews with representatives from each business unit to incorporate lessons learned and share tools, resources and expertise for cyber risk identification.

2. Are there preferred frameworks or standards used by your organisation to identify and assess cyber security risks across your organisation, including both internal systems and third party services?

Amstelveen’s approach to identifying and assessing cyber security risks involves the use of a combination of globally recognised frameworks and standards. Applying these standards and frameworks ensures a comprehensive and consistent methodology for managing and assessing both internal systems and third party services. These frameworks assist organisations to assess the security posture of their internal systems, identify vulnerabilities and mitigate risks effectively. The following are commonly used by Amstelveen across different client engagements:

• ISO-IEC 27001 – As the internationally recognised standard for information security management, ISO 27001 provides a robust framework for establishing, implementing and maintaining an information security management system (ISMS). This framework enables organisations to assess information security risks and ensure appropriate controls are in place to improve data security and protection against cyber threats.
• ACSC’s Essential Eight – The framework provides a core set of cyber security controls to mitigate common cyber threats. It is widely adopted across both public and private sectors, especially in government agencies and critical infrastructure organisations.
• CPS 234 Information Security – While this prudential standard is applicable for APRA regulated entities only, it provides a robust reference point for the implementation and embedment of a strong cyber security framework. The standard (and accompanying guidance) supports organisation design systems and controls that are resilient to cyber threats and can recover from incidents that could impact their operations.
• NIST Cybersecurity Framework (CSF) – The NIST CSF offers a flexible, risk-based approach for identifying, assessing and managing cyber security risks. The framework focuses on five key functions including Identify, Protect, Detect, Respond, and Recover, and helps organisations assess cyber security risks across various internal systems and third party services. This approach allows for the identification of cyber security risks within both operational, technology and digital infrastructure.
• Control Objectives for Information and Related Technologies (COBIT) – COBIT is a widely recognised governance and management framework for enterprise IT.It is particularly useful in aligning cyber security risk assessments with broader enterprise governance objectives, ensuring that risk management practices are integrated with organisational strategic goals.
• CIS Controls (Center for Internet Security Controls) – The framework provides a set of best-practices design to help organisations improve their cyber security posture by focusing on the most critical actions to defend against prevalent cyber threats. The framework is comprised of 20 controls, prioritised and designed to address common attack vectors and weaknesses in systems.
• CSA (Cloud Security Alliance) Security, Trust and Assurance Registry (STAR) – For clients leveraging cloud services, the CSA’s STAR framework is vital in assessing the cyber security risks associated with third party cloud service providers. The framework provides transparency and ensures that third party cloud providers meet appropriate security and compliance standards.
• Third Party Risk Management (TPRM) Frameworks – Amstelveen recognises that clients are increasingly reliant on external vendors and partners for critical services meaning emphasis is placed on managing risks associated with third party services. We support organisations implement strong TPRM Frameworks, which are informed by standards including ISO 27001, 27002, 27018 and NIST SP 800, and industry best practices like ISO 22301 for business continuity, COBIT for IT governance, and SOC 2 for evaluating vendor data security. A common tool used to evaluate the cyber security posture of third party vendors is the cyber security questionnaire, which focuses on areas such as data protection, incident response and security controls, and compliance with relevant security frameworks.

Amstelveen’s approach is also informed by our collaboration with clients to understand their business objectives, organisational structure, and current risk maturity. We use this understanding of our clients to determine the most appropriate methodology for identifying and assessing cyber security risks. This approach ensures that clients maintain a secure environment while adhering to best practices and regulatory requirements.

Roles & Responsibilities

3. How should the Commonwealth ensure that cyber security roles and responsibilities are defined and communicated across different levels of their organisation, from executive leadership to frontline staff?

To support Principle 2 of the Consultation Paper (p. 6) and embed accountability into the Zero Trust Culture across each Commonwealth entity, Amstelveen offers the following suggestions to guide future requirements within relevant frameworks:

• Design roles to fit the Commonwealth or entity-level structure

The Commonwealth should design the roles in managing cyber security and cyber risk by considering the following questions:

• How large and diverse is the organisation?
• How is the organisation structured?
• How is the organisation geographically dispersed?
• What activities must be undertaken to manage cyber security and cyber risks? This includes activities directly addressing cyber security, such as incident response and risk monitoring, and indirectly, such as controls assurance and audits.
• What is the current level for skills, experience and competencies to handle cyber security risks? Is there an ideal state that the Commonwealth entity wants to reach?
• What are the cyber security goals, objectives and strategies?
• Do certain business units or functions require their own separate risk management roles?

There are some roles that have been identified commonly across industry, such as Chief Information Security Officer, Information Security Officer, IT System Owner, Data Protection Officer, Security Incident Response Team, and Compliance Officer. By considering these questions, Commonwealth entities can make more informed decisions on how roles can be distributed across their organisation in order to deliver all risk-related activities.

• Define and Communicate Roles and Responsibilities Clearly

To clearly define and delineate responsibilities for each role in the Information and Cyber Security Policies, it is suggested that a robust RACI Matrix framework is defined and endorsed to achieve the clear and “consistent understanding of accountabilities and escalation pathways” outlined in Principle 2 of the Consultation Paper (p. 6). For clarity, a RACI includes a clear outline of policy requirements, mapped to stakeholders that are:

• Responsible: the individual required to complete the task.
• Accountable: the individual liable for the completion of the task, which involves managing the individual(s) marked as ‘Responsible’ for the task.
• Consulted: the individual with subject-matter expertise or decision-making capabilities, who provides input data, advice, feedback or approvals to complete the task. These individuals can be from other departments in the Commonwealth, external or independent regulators.
• Informed: the individual(s) who must be kept informed of the status and outcome of the task’s completion, but are not directly involved with completing the task.

The RACI should outline the relationship between different stakeholders, and the key contact during each stage of the risk management process. By applying this effectively, stakeholders benefit from a clear structure to guide them towards engaging at the appropriate time given each situation. This also reduces the likelihood of a responsibility mapping across different roles, and thus improves the efficiency when handling and delivering risk-related activities. Further, clear roles and responsibilities enables artefacts like action plans and roadmaps to be created for a unified view on individual’s objectives, progress, timeline and assignments in the change plan and business-as-usual (BAU).

• Embed in Policy Frameworks and related Documents

Once responsibilities have been defined for each role, these cyber security roles and responsibilities should be embedded into and clearly outlined in relevant policy frameworks, procedure documents and processes. This approach helps emphasise that cyber-related responsibilities such as protecting the organisations digital assets and infrastructure are everyone’s responsibility, and that it is a collective responsibility that extends beyond IT teams to all employees, regardless of their position or function.  

• Facilitate Role-Based Training

To better ensure that the roles and responsibilities remain relevant for each assigned staff member, it is suggested that comprehensive role-based training is organised and mandated. Role-based training sessions can support staff members by communicating what is expected of them in their cyber-aligned roles, and to consolidate their understanding of what is required to fulfil their responsibilities effectively (NIST, 2020). Role-based training would tailor the content to be more relevant to each role, covering skills that would be directly relevant for their respective roles, and increasing the awareness of practical applications in their day-to-day activities (Terranova Security, 2024). Training should be administered continuously to uplift employee cyber awareness and to address any relevant changes to the content of the training which may be the result of security incidents, material changes in the environment or regulatory space, or updates to the roles and responsibilities themselves.

Cyber Fluency

6. What requirements and policies are most effective to ensure that all areas within an organisation (technical and non-technical) develop a necessary baseline understanding of cyber security concepts applicable to their roles?

Cyber security culture, and Zero Trust culture, are inextricably linked to the organisational and risk culture present across the Commonwealth. An individual’s understanding of cyber security concepts becomes more enriched when they recognise how this knowledge directly supports broader strategic objectives and underpins risk management practices.

Risk culture refers to norms and behaviours within an organisation that inform how risk is addressed within an organisation. A positive risk culture would shift towards risk being addressed intrinsically in the day-to-day operations of each individual and group.

Amstelveen would suggest that a matured and positive risk culture, from Senior Executives to front-line employees, would make it more effective for employees to sustain a baseline understanding of cyber security concepts. A strong risk culture enables all Commonwealth Government staff to manage risk intrinsically in their business processes and systems.

Where risk culture is insufficient, it is likely that the focus on governance, risk management and internal controls will be inadequate (APRA, 2016). Risk culture can be fostered through explicit messaging, positive reinforcements, and formal education programmes, and measured through customised staff surveys, dashboards to monitor and report key risk culture metrics, and external assurance reviews (Australian Government Department of Finance, 2019). The PSPF refers to security awareness training as an integral component for achieving the “positive security culture” outlined in Requirement #23 (p. 11). Amstelveen suggests for the framework to build upon Requirements #24 and #25 (p. 12) to capture and facilitate activities that can measure how risk and security culture is performing, and to continuously update the content of the security awareness program to align with the changing environments within the organisation as well as due to external factors.

8. What requirements would you recommend to ensure that effective metrics and benchmarks are implemented?  

Metrics, such as Key Performance Indicators (KPIs) and Key Control Indicators (KCIs), should clearly indicate how effectively the requirements implemented are at manifesting into the expected Zero Trust behaviours across each Commonwealth entity. The key objective of implementing metrics is to provide Senior Management with relevant and quantifiable data of the organisation’s risk and security posture, in order to enable greater risk-informed decision-making (NIST, 2018). Amstelveen would suggest for the Commonwealth to define baseline metrics for key risk and control areas. These metrics are to be linked to clear policy statements and principles, and supported by mechanisms for enforcing and monitoring policy compliance, such as regular audits, automated compliance checks, employee training programs, and clear escalation procedures for policy violations. These mechanisms help monitor adherence to security standards and provide continuous oversight of policy compliance across the organisation.

These metrics should be outcome-based and directly linked to a specific organisational goal. By ensuring this link is clear, the Commonwealth can more reliably compare performance with other metrics and other entities. The SMART framework is widely used to help structure how metrics are defined to improve clarity and remove duplication across measures. SMART recommends each metric to demonstrate the following attributes: Specific, Measurable, Achievable, Relevant, and Time-Bound. To illustrate this through an example, Requirement #101 in the PSPF states “Multi-factor authentication mitigation strategy is implemented to Maturity Level Two under ASD’s Essential Eight Maturity Model” (p. 69). In the table below, we’ve provided a worked example showing an example metric, and how it can be developing using the SMART framework.

Example Metric: “Percentage of staff members across all entities have multi-factor authentication (MFA) enabled on their local user account”, reviewed on a monthly basis, where:

Specific	Specifies the quantitative measurement (percentage), audience (staff members across all entities), and the parameter (MFA enabled on local user account).
Measurable	Quantifiable through percentage of staff members across all entities with MFA enabled on their local user account, out of all staff members across all entities. The metric is assessed against defined risk tolerance levels and trigger points to highlight areas of heightened risk. It also supports broader Key Risk Indicators (KRIs) and enhances cyber monitoring by providing clear benchmarks to assess and mitigate security vulnerabilities.
Achievable	Viewed as achievable given the activity required is to configure user accounts so that MFA is a compulsory step.
Relevant	Directly relates back to the Requirement #101 for MFA.
Time-Bound	The metric is reviewed on a monthly basis to detect any low performance scores in a relatively swift timeframe.

Continuous monitoring and improvement are an integral component of using metrics to assess risk management practices. The executive level at Commonwealth and Commonwealth entities should be involved during the development of the metrics to be used, to ensure that they align with organisational, strategic and risk-specific objectives. Continuous monitoring should be governed from the top-down, with the executive-level personnel accountable for this.

Metrics can be applied at three different levels: system, program, and organisation (NIST, 2024). Responsibility for continuous monitoring and reporting of these metrics should be assigned to the appropriate person(s) depending on which level it is applied at. These metrics can be centrally monitored and reported through dashboards as well as certain tools (such as Governance, Risk & Compliance (GRC) systems) that can be integrated with applications or systems used for cyber risk management. Where the Commonwealth’s internal and external environments shift dynamically, implemented metrics should be reviewed and tested to ensure they remain accurate, effective and relevant to strategic objectives, risk management strategy (including risk appetite and tolerance levels), and industry benchmarks.

Conclusion

Thank you for providing us with the opportunity to provide input into this consultation paper. Please feel free to contact us to discuss any of these items in further detail.

Sincerely,

Amstelveen
Email:       info@amstelveen.com
Address:  Level 11, 570 George Street, Sydney NSW 2000
Web:        http://www.amstelveen.com