DISP Compliance and the Defence Industry Supply Chain

Thu, 26 Aug 2021 15:20:18 Z

Any organisation that is already or wants to be part of the Australian Department of Defence supply chain needs to be a member of the Defence Industry Security Program (DISP).

What is DISP?

The DISP is essentially a security vetting for Australian businesses. The DISP is managed by the Defence Industry Security Office (DISO) and DISO supports Australian businesses to understand and meet their security obligations when engaging in Defence projects, contracts and tenders.

“Whether you are an Australian business currently working with Defence or seeking to partner with us, we all have an obligation to contribute to the security of our people, information and assets.

There are many things Australian businesses can do to minimise security risks and raise their levels of security protection across the security categories of governance, personnel security, physical security, information and cyber security.

Instrumental to this is membership of the Defence Industry Security Program (DISP).”

Defence Industry Security Office

DISP membership is extremely important to many different business sectors. Whether it is higher education, manufacturing, transport, consulting, managed services or construction. If you’re looking to work in the Australian Department of Defence supply chain, or already are, then membership to the DISP is essential to ensure the protection of Defence and its assets.

The important bit, failure to gain membership will preclude organisations from lucrative federal contracts and have a financial impact on them.

The Australian Signals Directorate Top 4

In recent years within the cyber security sector in Australia, most of the discussion has revolved around the Australian Cyber Security Centre (ACSC) Essential 8. Although now a lot of the industry focus has shifted back to what the Essential 8 replaced, the Australian Signals Directorate (ASD) Top 4 some new changes have been put in place for DISP membership requirement. One of the membership requirements mandates the enforcement of the original ASD Top 4.

The ASD Top 4 includes:

Application Whitelisting (Now referred to as Application Control)
Patching applications
Patching operating systems
Restricting administrative privileges

ACSC data shows organisations can prevent up to 85% of Windows intrusion threats by implementing the ASD Top 4 so whether you’re looking at DISP membership or not it’s a worthwhile and important undertaking for an organisation.

Help with implementing the Top 4 controls

At Ivanti we’ve always focused on the Top 4 controls, our security products are used by organisations of all sizes across multiple business sectors in Australia.

While most organisations will already have an operating system patching process in place, the remaining three controls are all seen as a rather difficult, manual, and time-consuming controls to implement, it doesn’t have to be that way!

Ivanti Application Control can make whitelisting and restricting admin privileges very simple and quick. Allowing you to go from auditing to enforcement with a very fast return on investment and minimal administration overheads.

Ivanti has the largest catalogue of patch content for third-party apps and our patching products are securing over 180 million endpoints globally.

If an organisation is already using Microsoft Endpoint Manager to manage and patch their endpoints Ivanti can plug right into it with Ivanti Patch for MEM adding support for our 3^rd patching catalogue.

If a mechanism for operating system patching isn’t in place, then Ivanti Security Controls can be used to cover both the applications and operating systems.

For more information on how Ivanti can help you with the Top 4 and Essential 8 you can view a video of our Essential 8 approach here: Ivanti ACSC Essential 8 or gain an overview on how to comply with the ACSC Essential 8 here.

Need DISP Compliance ASAP?

If you need to become compliant with the DISP and need to get those ASD Top 4 security controls in place quickly let us know. We have helped a number of organisations in the last 6 months who have needed quick compliance for a project or tender, and we have been able to support them implementing the controls efficiently, effectively and without user disruption.

Some handy references:

You Can Fly Round the World in 48 Hours but Can You Patch a Server?

Mon, 12 Oct 2020 13:58:53 Z

It is becoming increasingly more difficult for organisations to keep up with the ever-growing security patching requirements. More stringent guidelines are being introduced, such as the Australian Cyber Security Centre (ACSC) Essential 8. To meet the highest level of maturity of the essential 8, an organisation must patch and secure critical security vulnerabilities within 48 hours of the release of the patch or discovery of the vulnerability.

The 48-hour turnaround time can be difficult to meet due to:

Ineffective deployment methods;
Red tape with process; and
Lack of adequate reporting.

What happens in the wild?

From my personal experience with large organisations the complexity of the environments makes patching security vulnerabilities within a 48-hour time frame difficult. A combination of the complex environments, manual processes and stakeholder engagement inhibit the ability to make the time frame.

On the flip side in organisations that manage to meet this requirement tend to skip over the required processes. An outcome of this typically a lack of reporting and verification of the patching being completed.

What’s the best approach?

With those issues in mind it’s obvious a very mature streamlined and automated approach is required. An approach that can tie in the deployment method, the required processes and reporting on the results.

The flow on effect of building such a solution gives the added benefit of further streamlining standard patching. Increasing the confidence with stake holders and allowing for resources to be better utilised compared to the current manual resource driven patching processes many organisations still utilise.

How can Ivanti help?

A good place to start is Ivanti Security Controls (ISEC). ISEC allows you to patch both operating system as well applications for Windows and Linux. ISEC also allows the choice of agent or agentless patching, meaning you can avoid adding yet another security agent to the endpoints. Furthermore, ISEC also has the capability to take the output of vulnerability scanners allowing you to automatically convert a list of Common Vulnerabilities and Exposures (CVE) directly into a list of patches. Ivantis CVE to Patch technology is a great time saver you no longer have to have resources completing repetitive tasks to produce the patch list.

For the 48 hours patching use case pairing ISEC with Ivanti Automation is a must. The automation platform can control every step based on the defined processes of an organisation. This can be achieved using the Ivanti Automation Connectors allowing Automation to tap into ISEC, Service Management platforms (such as Ivanti Service Manager) as well as the Automation platform itself performing required health checks that are part of the process itself.

The final part of the puzzle is reporting and the tool for that is Ivanti Xtraction. Xtraction is a real-time intelligence platform. It allows you to build reports from multiple sources across vendors into easy to understand dashboards. Xtraction can be used to report on the patching status across an organisation allowing for easy single pane of glass view for the compliance status.

Putting it all together

Bringing all these pieces together is the real art behind successfully creating a process to meet the 48 hours critical patching requirement. From our experiences here at Ivanti a simple strategy utilising this approach would typically look like this:

Underpinning all of this with Xtraction, allowing a live dashboard view of the whole process to be monitored.

The Ivanti approach allows for one vendor to cover this process, from the patch management, service management, reporting and automation. Also, for organisations that already have partial coverage Ivanti can plug the gaps to bring it all together.

What next?

Ivanti have a nice short demonstration of all aspects of the automated patching and reporting which can be found here.

If you would like to have a chat regarding automated patching you can reach out to us from our homepage.

Ivanti Blog: Posts by