Strategic Roadmap January 2016...CRCSI Information Technology Strategic Roadmap January 2016...
Transcript of Strategic Roadmap January 2016...CRCSI Information Technology Strategic Roadmap January 2016...
!
CRCSI Information Technology
Strategic Roadmap 27 Jan 2016
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 2 of 54!
!
Introduction!
This%document%comprises%the%IT%Review%and%Strategy%Roadmap%as%undertaken%by%The%Right%IT%on%
behalf%of%the%CRCSI.%This%document%is%aimed%at%providing%the%key%stakeholders%of%the%CRCSI%with%a%
high%level%overview%of%existing%IT%and%offer%a%number%of%recommendations%to%assist%in%addressing%
issues,%and%prioritizing%the%issues%identified%inline%with%the%CRCSI’s%requirements%and%capabilities.%%
This%document%does%not%include%detailed%technical%analysis%of%systems%or%services,%nor%does%is%
provide%policies%and%procedures.%
%
The%intended%audience%within%the%CRCSI%is%Phil%Delaney,%Melanie%Plumb,%Peter%Woodgate,%and%
Graeme%Kernich.%
%
Purpose%%
The%purpose%of%this%document%is%to%provide%the%CRCSI’%with%greater%visibility%and%understanding%
of%the%existing%technology%and%it’s%usage%within%the%CRCSI.%%It%also%provides%an%understanding%of%
potential%risks,%skills%gaps,%and%areas%for%change%or%improvement%in%line%with%the%CRCSI’%broader%
objectives%and%requirements.%%In%addition%to%provide%options%for%addressing%the%issues,%prioritising%
the%issues,%and%focusing%on%Australian%hosted%solutions%where%possible.%
%
%
Associated!Individuals!
The%following%individuals%were%involved%in%the%review.%
%% CRCSI%Key%Stakeholders;%%
L Phil%Delaney%%
L Melanie%Plumb%
L Peter%Woodgate%
L Graeme%Kernich%
%
Melbourne%University;%%
L Peter%Bruges%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 3 of 54!
L Thavi%Bouphasavanh%%
%
The%Right%IT;%
• Julian%Ryan%
• Nathan%Krake%
• Chama%Wickz%
• Matt%McInnes%(external%advisor)%
%
CRCSI%Additional%Staff;%
• Nathan%Quadros%
• Riyas%
• Samantha%Bain%
• Phil%Tickle%
• Darren%Mottolini%
• Jessica%PurbrickLHerbst%
!
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 4 of 54!
!
Introduction*..............................................................................................................................................................*2!
1! Strategic*Roadmap*Summary*......................................................................................................................*7!1.1! Strategic+Roadmap+Objectives+.....................................................................................................................................+7!1.2! Roadmap+Recommendations+summary+...................................................................................................................+8!A.! Migrating+to+Office+365+.....................................................................................................................................................+9!B.! Endpoint+&+Application+Access+Security+–+initial+phase+....................................................................................+10!C.! Security+Focused+Culture+(Policy+&+Education)+....................................................................................................+11!D.! Establishing+a+CRM+Project+...........................................................................................................................................+12!E.! Future+Considerations+.....................................................................................................................................................+13!
2! The*Existing*IT*Landscape**=*here’s&where&you’re&at*..........................................................................*14!2.1! Policy,+Culture,+and+Capability+...................................................................................................................................+14!2.1.1! Policy!Commentary!.........................................................................................................................................!14!2.1.2! Culture!Commentary!......................................................................................................................................!15!2.1.3! Existing!CRCSI!Risk!Management!Controls!...........................................................................................!15!2.1.4! Passwords!and!Password!Management!.................................................................................................!16!2.1.5! Skills!Gap!Analysis!...........................................................................................................................................!17!
2.2! Infrastructure+...................................................................................................................................................................+18!2.2.1! Network!&!Phone!System!(Melbourne!University!services)!.........................................................!18!2.2.2! Network!Security!@!Lygon!St!office!.........................................................................................................!18!2.2.3! IP!Address!Allocation!at!Lygon!St!.............................................................................................................!19!2.2.4! Tensia!Finance!Server!....................................................................................................................................!20!2.2.5! Spare!&!Unused!Equipment!.........................................................................................................................!20!2.2.6! Local!Storage!Devices!.....................................................................................................................................!20!
2.3! Systems+&+Applications+.................................................................................................................................................+21!2.3.1! Applications!in!use!...........................................................................................................................................!21!2.3.2! Device!hardening!..............................................................................................................................................!22!2.3.3! Antivirus!and!PC!Security!.............................................................................................................................!22!
2.4! Data+Management+..........................................................................................................................................................+22!2.4.1! GIS!data!sets!........................................................................................................................................................!22!2.4.2! Financial!Data!....................................................................................................................................................!22!2.4.3! Software!development!/!Source!code!.....................................................................................................!23!2.4.4! Dropbox!Data!.....................................................................................................................................................!23!2.4.5! Gmail!Email!Mailboxes!...................................................................................................................................!23!2.4.6! Contact!Lists!.......................................................................................................................................................!23!2.4.7! Data!Integrity!and!Backups!..........................................................................................................................!23!2.4.8! ‘Project’!Review!Process!and!Research!data!........................................................................................!24!
3! Identified*Areas*for*Review*=*here’s&what&the&issues&are*.................................................................*25!3.1! Policy+&+Culture+................................................................................................................................................................+25!3.1.1! Limited!Policy!Awareness!............................................................................................................................!25!3.1.2! Not!a!Security!Focused!Culture!..................................................................................................................!25!3.1.3! Password!Management!.................................................................................................................................!26!
3.2! Process+&+Capability+.......................................................................................................................................................+26!3.2.1! CRCSI!Software!/!Source!Code!Management!.......................................................................................!26!3.2.2! Informal!Technical!Support!.........................................................................................................................!27!
3.3! Data+Protection+................................................................................................................................................................+27!3.3.1! Data!Backups!......................................................................................................................................................!27!3.3.2! Data!Encryption!................................................................................................................................................!27!3.3.3! Dropbox!Folder!Permissions!.......................................................................................................................!27!3.3.4! Dropbox!Logins!.................................................................................................................................................!28!
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 5 of 54!
3.3.5! Personal!Device!Usage!...................................................................................................................................!28!3.3.6! Antivirus!and!Antimalware!..........................................................................................................................!29!3.3.7! No!Restrictions!on!Outgoing!Internet!Traffic!.......................................................................................!29!
3.4! Systems+&+Applications+.................................................................................................................................................+29!3.4.1! Mobile!Phones!as!primary!phone!..............................................................................................................!29!3.4.2! Gmail!......................................................................................................................................................................!29!3.4.3! Application!updates!&!Patches!...................................................................................................................!30!3.4.4! Data!Sovereignty!..............................................................................................................................................!30!3.4.5! Telephony!System!............................................................................................................................................!31!
4! Roadmap*Recommendations*=*here’s&what&we&suggest*....................................................................*32!4.1! Policy+and+Culture+Recommendations+...................................................................................................................+33!4.1.1! Password!and!Password!Management!Policy!.....................................................................................!33!4.1.2! Personal!Mobile!As!Primary!Phone!..........................................................................................................!33!4.1.3! Update!Personal!Device!Usage!Policy!.....................................................................................................!34!4.1.4! Creating!Security!Focused!Culture!...........................................................................................................!35!4.1.5! Insurance!Requirements!of!Data!Management!...................................................................................!35!4.1.6! Define!Policy!on!Data!Management!and!Storage!................................................................................!36!4.1.7! Review!Source!Code!Management!............................................................................................................!36!4.1.8! ISO!Standard!27001!–!Guiding!Principals!.............................................................................................!37!4.1.9! Research!Data!and!Project!Review!Data!................................................................................................!37!4.1.10! Document!Sensitivity!Rating!....................................................................................................................!38!
4.2! Process+&+Capability+Recommendations+...............................................................................................................+39!4.2.1! New!Systems!or!Applications!Process!....................................................................................................!39!4.2.2! New!Equipment!Purchasing!Process!.......................................................................................................!39!4.2.3! New!Staff!Entry!&!Exit!Process!...................................................................................................................!39!4.2.4! Increased!End!User!Education!&!Training!............................................................................................!40!4.2.5! Technical!Support!Escalation!Process!&!Partnership!......................................................................!40!4.2.6! Creation!of!Local!PC!Administrator!On!All!Computers!....................................................................!40!4.2.7! Increased!Clarity!on!Defined!Applications!For!Use!...........................................................................!41!4.2.8! Contact!List!Management!.............................................................................................................................!41!4.2.9! Product!Development!and!Management!................................................................................................!41!
4.3! Data+Protection+Recommendations+........................................................................................................................+42!4.3.1! 2!Step!Verification!/!Authentication!for!Dropbox!..............................................................................!42!4.3.2! Review!Dropbox!Folder!Permissions!......................................................................................................!42!4.3.3! Implementation!of!Complex!Phone!PIN!/!Passcodes!.......................................................................!42!4.3.4! Bitdefender!AV!/!AM!Security!Software!on!PCs!..................................................................................!42!4.3.5! Activate!Remote!Wipe!Dropbox!Capabilities!.......................................................................................!43!4.3.6! Laptop!/!PC!Backup!to!Local!NAS!.............................................................................................................!43!4.3.7! Office!Backup!of!Dropbox!Data!..................................................................................................................!43!4.3.8! Periodic!Dropbox!Administrator!Password!Change!&!Roll!Review!...........................................!43!4.3.9! Device!Hardening!.............................................................................................................................................!43!4.3.10! Implement!Auto!Wipe!of!Mobile!Phones!.............................................................................................!44!4.3.11! Reviewing!Application!Whitelisting!and!restricting!Outgoing!Internet!Traffic!.................!44!
4.4! Systems+and+Applications+Recommendations+.....................................................................................................+45!4.4.1! Migration!to!Office!365!for!Email!&!Contact!Management!............................................................!45!4.4.2! Application!Updates!&!Patching!................................................................................................................!45!4.4.3! Review!Group!Collaboration!Requirements!.........................................................................................!45!4.4.4! Evaluate!Cloud!Based!Financial!System!.................................................................................................!46!4.4.5! CRM!Project!........................................................................................................................................................!46!4.4.6! Network!Strategy!Post!Melbourne!University!.....................................................................................!46!4.4.7! Remote!Access!to!GIS!Data!...........................................................................................................................!47!4.4.8! Corporate!File!Systems!and!Non!GIS!Data!.............................................................................................!47!
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 6 of 54!
5! Annex*1*=*Recommendations*Matrix*......................................................................................................*49!
6! Annex*2*–*Department*of*Defence*CSOC*–*Top*35*Strategies*to*Mitigate*Targeted*Cyber*
Intrusions*...............................................................................................................................................................*51!
7! Annex*3*–*Existing*CRCSI*Risk*Management*Controls*......................................................................*53!%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 7 of 54!
1 Strategic!Roadmap!Summary!
Included%within%this%summary%are%an%overview%of%the%Strategic%Roadmap%Objectives%and%the%5%Key%
Roadmap%Recommendations.%
Including%this%summary,%the%document%is%structured%into%4%sections;%
1. Strategic!Roadmap!Summary!
2. The!Existing!IT!Landscape!!@!here’s&where&you’re&at!
3. Identified!Areas!for!Review!@!here’s&what&the&issues&are!
4. Roadmap!Recommendations!@!here’s&what&we&suggest!
!
1.1 Strategic&Roadmap&Objectives&
The%objectives%of%this%strategic%roadmap%are%to%assist%the%CRCSI%in%addressing%deficiencies%and%
developing%a%policy%framework%for%future%ICT%initiatives%and%ongoing%management.%%This%
document%provides%the%CRCSI%a%more%informed%view%of%how%existing%technology%and%practices%
can%be%improved%or%changed%to%increase%and%assist%with%the%mid%term%objectives%of%the%
organisation.%%%
%
The%roadmap%recommendations%address%a%number%of%existing%areas%for%improvement,%and%
improved%management%and%mitigation%of%risks%and%threats%facing%the%CRCSI%from%a%technology%
and%cyber%security%perspective.%%
%
Through%the%review%we%have%defined%5%key%strategic%principals%to%inform%and%influence%the%
roadmap%recommendations%for%the%CRCSI.%
%
The%key%strategic%principals%guiding%the%roadmap%are;%
• Increase!ICT!Security!
• Increase!ICT!Sophistication!
• Maintain!Agility!and!Adaptability!
• Maintain!Productivity!and!increase!Efficiency!
• Create!a!Security!Focused!Culture!
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 8 of 54!
1.2 Roadmap&Recommendations&summary&
By%enlarge%we%believe%that%the%existing%strategy%of%cloud%based%services%is%suitable%for%the%CRCSI,%
and%this%strategy%should%be%maintained%for%core%services%in%conjunction%with%addressing%issues%
identified%through%out%this%review.%
%
Within%the%roadmap%are%5%key%recommendations%that%address%a%large%number%of%the%issues%
identified%and%the%individual%recommendations%to%resolve%and%manage%those%issues.%%
Each%of%these%Key%Roadmap%Recommendations%provides%an%overarching%strategy%to%the%individual%
recommendations%identified.%
%
The%Key%Roadmap%Recommendations%are;%
A. Migrating!to!Office!365!@!Q1!2016!
B. Endpoint!&!Application!Access!Security!@!Q1!2016!
C. Security!Focused!Culture!(Policy!&!Education)!@!Q1/2!2016!(and!ongoing)!
D. Establishing!a!CRM!Project!–!Q2/3!2016!
E. Future!Considerations!–!Q2@4!2016!&!beyond!
%
Each%of%these%key%recommendations%is%summarized%individually%below.%%Individual%/%specific%
recommended%actions%and%initiatives%are%outlined%in%section%4%of%this%document,%Roadmap!
Recommendations!@!here’s&what&we&suggest!
%
A%summarized%list%of%specific%recommendations%is%provided%in%Annex%1%–%Recommendation%Matrix%%
The%Recommendation%Matrix%also%outlines%the%related%Timeline,%Action,%Implementation%Effort,%
Exposure%&%Importance,%and%Impact%&%Relevance%of%each%specific%recommendation.%%%
%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 9 of 54!
A. Migrating&to&Office&365&
This%key%recommendation%addresses%a%number%of%existing%issues%and%subsequent%
recommendations,%and%as%such%becomes%a%key%part%of%the%strategic%roadmap.%%%
%
What&is&Office&365?%%%In%the%context%of%this%recommendation%to%the%CRCSI,%Office%365%comprises%a%
combination%of%features%and%applications%in%the%form%of%a%cloud%business%service%from%Microsoft.%%
The%features%incorporate%Microsoft%Exchange%Email%capabilities,%centralised%Directory%
Management,%the%suite%of%Microsoft%Office%applications,%and%a%number%of%collaboration%tools%and%
further%options.%
%
Specific%to%the%recommendations%and%issues%identified%at%the%CRCSI,%Office%365%provides%the%
following%benefits;%
• Centralised!email!management!and!administration!
• Mobile!Device!Management,!remote!wipe!
• Password!Change!&!Complexity!Enforcement!
• MS!Office!updates!and!patching!
• Possible!Collaboration!Tools!
• Authoritative!Contacts!List!Location!
• Increased!User!Verification!&!authentication!
• Dropbox!Integration!
• Australian!based!data!storage!(Data!Sovereignty)!!
%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 10 of 54!
B. Endpoint&&&Application&Access&Security&–&initial&phase&
This%roadmap%element%comprises%a%number%of%actions%relating%to%a%variety%of%security%issues%
identified%relating%to%inconsistencies%and%low%levels%of%security%on%staff%devices%and%applications%
in%use.%%%
%
The%initial%actions%recommended%for%increasing%endpoint%/%device%&%application%access%security%
include;%
• Implementing!Bitdefender!Endpoint!Security!(Best!in!class,!cloud!managed!Antivirus!/!
Antimalware!solution)!
• Dropbox!2!step!verification!
• Dropbox!permissions!update!
• Password!&!PIN!strengthening!policy!(including!applications!and!devices)!
• Reducing!Personal!Device!usage!and!access!to!corporate!data!
• Source!code!management!changes!&!further!review!!
o Clear!IP!accountability,!access,!and!management!
%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 11 of 54!
C. Security&Focused&Culture&(Policy&&&Education)&
The%key%element%around%this%recommendation%is%to%increase%and%then%maintain%the%education%
and%awareness,%of%the%importance%and%need%for%a%security%consciousness%with%the%staff.%%This%
review%process%has%in%itself%provided%an%initial%step%in%creating%greater%awareness%of%the%
importance%of%security.%The%individual%recommendations%that%relate%to%this%objective%of%creating%a%
security%focused%culture%are%mainly%around%staff%education%of%policies%(both%new%and%existing)%
through%increased%communication%and%clarity.%In%addition,%this%includes%creating%specific%
awareness%of%why%changes%are%happening%within%the%organization.%%
%
The%short%term%area’s%that%this%education%and%awareness%relate%to%are;%
• Use!of!personal!devices!(phones!and!home!computers)!
• All!changes!relating!to!the!Endpoint&&&Application&Access&Security!changes!
• Password!management!policies!
• Clarity!on!what!is!the!CRCSI’s!sensitive!information,!how!to!identify!it,!and!related!
policy!
• The!main!behavioral!vulnerabilities!that!affect!and!undermine!security!measures!
• Reframing!the!ideology!of!personal!trust!as!compared!to!controlling!vulnerability!and!
limiting!risk!
%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 12 of 54!
D. Establishing&a&CRM&Project&
The%fourth%roadmap%recommendation%is%to%undertake%a%CRM%project.%%Currently%the%CRCSI%has%a%
fragmentation%of%both%the%relationship%lifecycle%with%partners%/%clients,%in%addition%to%sales%and%
business%development%processes.%%The%implementation%of%a%suitable%CRM%is%also%an%important%
element%in%the%transition%of%the%CRCSI%becoming%a%private%equity%organization.%%
%
Internally%reviewing%the%business%processes%and%ideal%requirements%that%relate%to%these%areas%of%
the%business%will%provide%an%opportunity%to%create%a%foundation%for%improving%visibility%in%addition%
to%deepening%the%BDM%team%activities%into%the%organization.%%
An%effective%and%suitable%CRM%will%also%deliver%improvements%in%areas%such%as;%
• Consistency!of!application!use!
• Increased!collaborative!awareness!
• Communication!tracking!and!relationship!visibility!
• Reduced!technology!islands!that!presently!exist!with!contacts!&!some!BDM!documents!
%
The%CRM%project%initial%action%is%to%identify%organizational%requirements%and%business%process%
analysis,%both%current%and%foreseeable.%%After%which%the%evaluation%of%potentially%suitable%CRM%
products%/%services%would%be%undertaken%whilst%considering%the%key%strategic%principals.%
%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 13 of 54!
E. Future&Considerations&
Future%considerations%are%those%items%that%have%been%identified%as%relating%more%to%events%and%
changes%over%the%coming%1%to%3%years%or%requiring%additional%planning%and%discussion.%%The%
actionable%elements%of%these%recommendations%includes%the%consideration%of%identified%items%in%
the%strategic%outlook%of%the%organization,%and%the%budgeting%of%these%possible%changes%/%
activities.%%%
%
Some%specific%recommendations%that%are%included%within%this%roadmap%area%are;%
• Network!and!Telecommunication!services!strategy!post!Melbourne!University!campus!
• Cloud!deployed!GIS!Data!&!Azure!like!service!utilization!–!Domestic!data!locality!
• Use!of!‘pay!as!you!go’!cloud!computing!resources!for!large!computation!activities!
• Using!the!guiding!principals!of!ISO!Standard!27001!–!Information!Security!Standard!
• Laptop!/!PC!backups!to!local!NAS!
• Device!encryption!
• Domestic!(Australian)!backup!of!all!Dropbox!data!(or!relocation!to!alternative!in!
Australia)!
• Cloud!based!financial!system!
• Product!Development!!(capitalizing!on!IP!and!source!code)!
%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 14 of 54!
2 The!Existing!IT!Landscape!!@!here’s&where&you’re&at!
The%following%section%provides%a%summary%of%the%existing%IT%landscape%of%the%CRCSI%as%discovered%
in%the%review.%%%
%
In%addition%to%the%information%below,%please%refer%to%the%CRCSI%Staff%Interviews%Summary%
document%that%contains%more%detailed%information%and%findings%following%a%number%of%oneLonL
one%interviews%with%key%CRCSI%staff.%%
%
2.1 Policy,&Culture,&and&Capability&
2.1.1 Policy!Commentary!
In%comparative%terms%for%organisations%of%similar%size,%the%CRCSI%has%well%developed%policies%
relating%to%IT.%%There%are%a%number%of%existing%policies%and%procedures%relating%to%individual%areas%
of%the%IT%within%the%CRCSI.%%These%incorporate%some%important%elements%and%include;%
o Data%storage%and%management%
o Business%Continuity%
o Collaboration%and%Communication%
o Support%
o Expected%Conduct%
o Intellectual%Property%protection%and%management%
%
These%individual%policies%are%specifically%relating%to%
o Intellectual%Property%
o Dropbox%
o Business%Continuity%
o HR%Handbook%(conduct%related%–%not%yet%released)%
o Media%&%Social%Media%
%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 15 of 54!
2.1.2 Culture!Commentary!
The%CRCSI%offers%the%staff%a%high%level%of%autonomy%and%flexibility%in%how%they%utilize%IT%equipment%
and%resources%to%meet%individual%functions%and%objectives.%%There%also%appears%to%be%some%
internal%product%specific%or%IT%champions%with%specific%domain%or%application%knowledge%that%is%
leveraged%quite%well%amongst%the%team.%%
%
A%further%observation%to%this%however,%is%that%in%some%cases%the%domain%knowledge%is%not%
necessarily%part%of%core%job%function%and%as%such%may%be%a%distraction%and%possibly%unproductive%
for%those%individuals%assisting%or%educating%others.%
%
Additionally%there%is%a%high%degree%of%collaborative%intention%in%achieving%organizational%
objectives.%This%is%evident%from%the%high%level%of%care%and%consistency%amongst%those%individuals%
interviewed.%%%
The%IT%tools%used%for%actual%collaboration%however%are%inconsistent%and%not%well%known.%%
%
Staff%have%a%favourable%view%of%using%personal%devices%for%work%purposes.%%
%
Most%staff’%operate%on%a%common%sense%approach%to%a%few%key%area’s%relating%to%IT,%namely;%
• Password%creation%and%management%
• Management%of%sensitive%information%
• Data%storage%and%management%%
%
2.1.3 Existing!CRCSI!Risk!Management!Controls!
The%CRCSI%has%identified%a%number%of%risks%relating%to%IT%as%outlined%within%the%CRCSI%Risk%
Management%Plan%&%Register%V1.4%(May2015).%%These%have%been%summarized%within%this%
document%in%Annex%3%for%reference%purposes.%
%
The%précis%of%these%risks%and%existing%management%are;%
Key!points!of!the!risks!
o Commercialisation%and%protection%of%Intellectual%Property%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 16 of 54!
o Business%Continuity%and%geographic%/%office%dependency%
o Loss%of%research%data%
o Loss%of%corporate%data%(operationally%disruptive%loss)%
o Theft%or%misuse%of%data%
Key!strategies!of!managing!this!risk!
o Project%Leaders%manual,%significant%ownership%of%risk%management%on%Project%Leaders%
o User%habits%and%processes%and%individual%sense%of%ownership%
o Data%backups%and%redundancy%
o Anti%Virus%/%Spam%filtering%&%Firewalls%
o A%number%of%internal%policies%and%procedures%(both%prevention%and%response)%
%
2.1.4 Passwords!and!Password!Management!
Staff’%are%not%aware%of%any%CRCSI%policy%on%Passwords%and%Password%Management.%%This%is%
evident%by%the%variety%of%methods%and%practices%used%by%interviewed%staff%in%the%creation,%
storage,%and%management%of%their%Passwords%for%corporate%services%and%systems.%
%
The%creation%of%passwords%and%their%relevant%complexity%is%very%much%based%on%an%individual’s%
perception%of%the%specific%importance%of%the%relevant%service%or%system,%combined%with%their%
individual%awareness%and%subjective%view%on%what%is%‘suitably%complex’.%%%%
%
In%many%instances%staff%do%not%have%the%same%passwords%for%the%core%systems%and%applications%
used%by%the%CRCSI,%and%many%also%deemed%that%‘suitably%complex’%included%a%variety%of%CAPITAL%
letters,%lowercase%and%Numbers.%%Most%staff%cited%8%–%12%characters%as%the%typical%password%
length%that%they%would%use.%
%
Password%management%and%storage%location%is%highly%inconsistent.%Varying%from%managing%
password%only%in%an%individuals%head,%to%relying%on%a%register%maintained%by%Wendy%for%some%
systems.%%Other%storage%locations%of%passwords%included,%files%in%Dropbox,%notes%on%mobile%
phones,%cached%Google%cookies,%emails,%cached%within%applications%and%browsers.%%
%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 17 of 54!
2.1.5 Skills!Gap!Analysis!
Interviews%with%staff%suggest%a%few%areas%of%potential%improvement;%
• Gmail%usage%and%capabilities%
• Use%of%CRM%
• Internal%IT%support%
• End%user%training%on%systems%/%applications%
• End%user%education%on%CRCSI%policies%and%procedures%
• Group%collaboration%tools%
%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 18 of 54!
2.2 Infrastructure&
For%benchmarking%the%existing%systems%and%infrastructure%in%use%at%the%CRCSI%the%current%systems%
were%also%evaluated%in%conjunction%with%the%top%35%Strategies%to%Mitigate%Targeted%Cyber%
Intrusions,%as%outlined%by%the%Cyber%Security%Operations%Centre%of%the%Department%of%Defense%
Intelligence%and%Security.%Annex%2%provides%a%summary%table%of%the%current%and%planned%
compliance%with%the%various%mitigation%strategies.%
%
Of%those%mitigation%strategies%relating%to%network%related%infrastructure,%the%Melbourne%
University%services%utilized%by%the%CRCSI%provide%a%high%degree%of%resilience%and%protection.%For%
those%mitigation%strategies%relating%to%PC%/%endpoint%and%end%user%practices%there%are%a%number%
of%existing%deficiencies.%%These%are%discussed%individually%within%this%document.%
!
2.2.1 Network!&!Phone!System!(Melbourne!University!services)!
The%Melbourne%University%services%of%Network%&%Phone%system%infrastructure,%provides%the%
CRCSI%with%a%complete%and%mature%network%environment%within%the%Lygon%St%office.%%The%
Melbourne%University%network%is%a%comprehensive,%well%funded,%secure,%and%well%managed%
‘Campus’%network%of%an%Enterprise%standard.%%%
With%Melbourne%University’s%use%of%best%of%bread%Cisco%infrastructure%and%best%practice%campus%
design,%this%provides%the%CRCSI%with%a%highLgrade%network%infrastructure.%%It%would%be%a%great%
expense%to%build%a%comparable%network.%
%
The%existing%phone%system%is%a%robust%and%mature%Enterprise%IP%Telephony%deployment%within%
the%Cisco%Unified%Communications%suite.%%
%
2.2.2 Network!Security!@!Lygon!St!office!The%Communications%rack%is%housed%in%a%secure%room%with%restricted%access,%inside%the%CRCSI%
tenancy.%The%room%is%well%ventilated%and%room%temperature%was%suitable%for%the%infrastructure.%%
This%provides%suitable%physical%security,%with%the%exception%that%the%level%5%coLtenant%(IBM%
Research)%also%has%physical%access%to%the%room.%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 19 of 54!
The%power%cables%on%the%floor%and%around%the%communications%rack%were%unorganized%and%
untidy.%This%represents%operational%risk%of%unplanned%equipment%power%outages,%however%it%
remains%unclear%to%what%extent%the%unorganized%power%is%solely%related%to%the%IBM%equipment.%
%
The%network%equipment%provided%by%Melbourne%University%at%Lygon%St%is%enterprise%grade%Cisco%
hardware,%providing%redundancy%by%design,%including%redundant%fibre%optic%connectivity%back%to%
the%Melbourne%University%network%core.%
%
The%logical%security%of%the%network%restricts%access%to%only%authorized%devices.%This%provides%a%
very%effective%mitigation%strategy%in%preventing%potential%risk.%%All%network%access%&%authorization%
is%managed%through%formal%requests%to%Melbourne%University%and%then%managed%internally%
within%Melbourne%University%HR%&%Network%procedures.%
%
The%network%is%also%logically%separated%from%all%other%Melbourne%University%edge%networks,%
providing%suitable%segmentation%and%segregation.%
%
2.2.3 IP!Address!Allocation!at!Lygon!St!The%IP%address%range%for%the%office%is%a%private%address%space%10.1.216.0%/22%(.216.0%–%219.255),%
and%is%managed%by%Melbourne%University.%%DNS%is%also%within%Melbourne%University%network.%
%
All%devices%are%allocated%their%IP%address%dynamically%and%automatically%via%DHCP%within%the%
network.%%
%
Printers%(network%connected)%are%set%with%static%IP%addresses%and%these%are%allocated%Public%IP%
addresses%(Internet%addresses).%%By%default%within%the%Melbourne%University%network%all%incoming%
ports%from%the%Internet%are%blocked.%%Any%requirements%for%open%ports%for%incoming%connections%
are%done%a%per%application%basis%through%the%network%operations%group%at%Melbourne%University.%
%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 20 of 54!
2.2.4 Tensia!Finance!Server!The%existing%Tensia%Finance%server%is%a%fully%managed%service%and%equipment%by%Federation%
International.%This%service%includes%backups,%maintenance,%disaster%recovery,%remote%
administration.%
%
Full%daily%backups%are%provided%which%are%then%copied%to%managed%cloud%backup%space.%%
Server%Health%checks%are%performed%every%2%weeks,%with%remote%maintenance%done%via%IDRAC%
(Dell%DRAC).%
%
Contact%details:%Mark%Vasudeva%0394313300.%%Federation%International%Pty%Ltd.%
%
2.2.5 Spare!&!Unused!Equipment!Currently%there%are%a%number%of%devices%that%are%unused%that%remain%in%the%office.%%These%include%
old%PC’s%and%desktop%computers,%1%laptop.%%These%are%largely%unsecured%beyond%being%in%the%
secure%office%space.%
There%are%a%few%spare%monitors%(new)%and%laptop%docking%stations%within%the%office%also.%
%
2.2.6 Local!Storage!Devices!Currently%there%are%4%local%storage%devices%primarily%used%for%the%storage%and%management%of%GIS%
Data.%2%of%these%devices%are%available%on%the%Network,%and%2%are%directly%connected%via%USB%to%
individual%computers%as%required.%
These%devices%are%Drobo%NAS%(Network%Attached%Storage)%with%built%in%off%the%shelf%Raid%
protection%on%the%hard%disks.%Each%Drobo%NAS%provides%approximately%15TB%of%usable%space.%
%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 21 of 54!
2.3 Systems&&&Applications&
2.3.1 Applications!in!use!Currently%there%are%small%number%of%core%applications%/%systems%used%in%addition%to%some%
department%specific%and%peripheral%/%individually%used%applications%
%
Core%applications%include;%
• Gmail%for%email%and%calendaring%
o Staff%use%a%combination%of%web%browser,%IMAP%/%POP%clients,%and%Mobiles%to%
access%the%Gmail%services.%
o Accounts%are%individual%Gmail%mailboxes%with%a%domain%redirection%service%
mapping%all%@crcsi%email%alias’%to%the%individual%Gmail%mailbox.%
• Dropbox%for%File%&%Document%storage%&%management%
o Staff%use%a%combination%of%work%PC’s%/%Laptops,%Home%PC’s,%and%Mobiles%to%access%
Dropbox%services.%
• Microsoft%Office%for%file%and%document%creation%and%editing%
• Personal%preference%in%web%browsers%
%
Department%specific%applications%in%use%
• Pipedrive%CRM%–%for%basic%BDM%pipeline%management%
• Tensia%for%financial%and%accounts%
• Visual%Studio%for%software%development%management%
• Mailchimp%for%auto%responder%and%email%campaign%management%
%
Peripheral%applications%in%use;%
• Google%Drive%for%files%and%document%creation%/%collaboration%
• Software%development%tools%in%use%
• Internally%developed%Source%code%/%applications%
%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 22 of 54!
2.3.2 Device!hardening!
There%are%currently%no%measures%in%place%to%harden%the%security%of%data%stored%on%phones%or%
computers,%including%those%travelling%outside%of%the%CRCSI%offices%and%Australia.%%The%logical%and%
physical%protection%of%these%devices%is%limited%to%password%protection%or%simple%PIN%codes%on%
phones.%
%
2.3.3 Antivirus!and!PC!Security!
There%is%no%existing%ability%for%centralized%visibility%or%management%of%Computer%security%/%
Antivirus%protection%for%CRCSI%devices%or%personal%devices%with%access%to%or%copies%of%sensitive%
data.%
%
There%is%also%no%existing%corporate%policy%or%consistency%of%Antivirus%software%on%PC’s.%%Many%PCs%
have%McAfee%anti%virus%software,%often%the%preinstalled%version%at%the%time%of%purchase.%
%
Gmail%is%providing%a%high%level%of%protection%from%incoming%SPAM%and%malicious%email%content.%%
%
2.4 Data&Management&
2.4.1 GIS!data!sets!GIS%Data%is%largely%managed%on%the%Drobo%NAS%devices%as%highlighted%above,%in%addition%to%
various%copies%of%the%individual%or%multiple%data%sets%in%a%number%of%locations.%These%large%
volumes%of%data%are%copied%and%moved%on%an%as%needs%basis%for%research,%analysis,%and%partner%
activities.%
%
2.4.2 Financial!Data!Financial%data%is%managed%as%part%of%the%Tensia%service%including%offsite%backups.%Management%/%
access%is%via%a%remote%desktop%session%on%the%Tensia%server,%whereby%accounts%records%and%the%
processing%remains%on%the%server.%%There%is%currently%no%remote%access%outside%of%the%office.%%
3rd%Party%financial%functions%such%as%banking%and%superannuation%are%done%via%web%browser.%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 23 of 54!
%
2.4.3 Software!development!/!Source!code!Currently%CRCSI%source%code%and%software%development%is%managed%through%a%combination%of%
manual%copies%/%backups%and%the%primary%Visual%Studio%service%used%by%Riyas.%%This%seems%to%be%
an%organically%developed%and%informal%process.%%
%
2.4.4 Dropbox!Data!All%gerenal%operational%Files%&%Document%data%is%managed%and%stored%in%Dropbox%with%security%
access%at%the%folder%level%on%an%individual%user%account%basis.%Dropbox%is%discussed%with%more%
specific%topics%throughout%this%document.%
%
2.4.5 Gmail!Email!Mailboxes!Currently%there%is%no%defined%management%processes%or%access%to%individual%mailboxes%beyond%
that%of%the%individual.%There%is%limited%visibility%and%reporting%on%Email,%and%no%defined%archival%or%
access%procedures.%
%
2.4.6 Contact!Lists!Contact%lists%are%currently%managed%and%stored%in%a%number%of%locations%with%no%apparent%
authoritative%source.%%Existing%locations%of%contact%information%includes%Pipedrive,%Mailchimp,%
and%individual%address%books%and%contact%lists.%
%
2.4.7 Data!Integrity!and!Backups!
There%appears%to%be%limited%organisational%awareness%as%to%what%extent%data%is%backed%up,%how%
and%when.%There%is%currently%no%formal%data%backup%for%Dropbox%files%or%email%content%beyond%
what%is%done%by%the%relevant%Service%Provider%of%the%service%(Google,%Dropbox,%Pipedrive%etc).%%
Financial%data%and%records%are%backed%up%offsite%on%a%regular%basis%as%part%of%the%managed%Tensia%
service.%%
%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 24 of 54!
Staff%that%manage%data%and%information%outside%of%the%primary%systems%(Dropbox,%Gmail,%Tensia,%
Pipedrive)%have%selfLdeveloped,%informal%procedures%regarding%backing%up%of%data.%For%example%
source%code%is%copied%to%a%local%laptop%before%major%revisions%are%made.%Multiple%copies%of%GIS%
data%are%held%in%varying%segments%in%numerous%locations,%which%is%deemed%as%backup.%
%
There%is%a%limited%knowledge%of%any%existing%process%or%plan%relating%to%recovery%from%device%
failure%or%loss.%%%
%
2.4.8 ‘Project’!Review!Process!and!Research!data!
It%is%understood%from%the%staff%interviews%that%‘Project’%submissions/documents%can%often%
contain%both%internal%and%external%stakeholder%intellectual%property.%The%current%Project%review%
processes%relating%to%who%receives%these%documents%and%related%information%could%be%reviewed%
to%further%understand%the%implications%of%sending%sensitive%information%outside%of%the%CRCSI.%%
%
According%to%the%CRCSI%Dropbox%for%Teams%Protocols%Draft%document,%currently%all%staff%have%
access%to%all%Research%data%and%folders%on%Dropbox.%%%
%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 25 of 54!
3 Identified!Areas!for!Review!@!here’s&what&the&issues&are!
The%issues%identified%have%been%categorized%into%the%following%areas.%%
• Policy%&%Culture%
• Process%&%Capability%
• Data%Protection%
• Systems%&%Applications%
%
3.1 Policy&&&Culture&
3.1.1 Limited!Policy!Awareness!Most%staff%operate%on%a%basis%of%common%sense%regarding%the%protection%of%sensitive%data.%%There%
exists%an%issue%of%staff%not%being%sufficiently%aware%of,%or%educated%on%existing%policies%that%have%a%
direct%impact%on%the%protection%of%intellectual%property%and%sensitive%data.%
%
Additionally%there%are%instances%of%staff%use%a%variety%of%systems%and%applications%that%are%not%
visible%or%accessible%by%the%organization%and%the%staff%are%not%clearly%educated%on%which%
application%to%use%in%varying%circumstances.%
%
There%exists%a%lack%of%awareness%of%the%importance%and%significance%that%Dropbox%plays%in%storage%
and%retention%of%CRCSI%corporate%data.%This%results%in%a%high%degree%of%end%user%complacency%
regarding%the%security%and%management%of%data%within%Dropbox.%
%
3.1.2 Not!a!Security!Focused!Culture!Currently%the%CRCSI%does%not%have%a%strong%security%culture%amongst%staff.%%This%represents%a%high%
exposure%in%that%even%the%best%security%measures%can%be%undone%by%unintentional%actions.%%%
Current%staff%education%and%security%awareness%presents%a%large%risk.%
%
The%culture%goes%beyond%that%of%good%governance%and%policy,%and%extends%largely%into%education%
and%awareness.%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 26 of 54!
3.1.3 Password!Management!There%are%a%number%of%issues%with%the%existing%management%of%passwords%within%the%CRCSI.%
These%include;%
• No%defined%policy%on%password%creation%and%complexity,%nor%storage%
• Broad%ranging%storage%habits%
• Many%nonLcomplex%passwords%in%use%
• Reuse%of%passwords%across%multiple%systems%including%personal%usage%
• Relaxed%habits%relating%to%changing%passwords%on%critical%applications%(like%Dropbox%&%
Email)%
%
3.2 Process&&&Capability&
3.2.1 CRCSI!Software!/!Source!Code!Management!The%absence%of%consistency%in%the%management,%access,%and%storage%of%CRCSI%Software%/%Source%
Code,%that%represents%key%intellectual%property%creates%a%number%of%issues.%%
%
Without%clear%policies%of%where%and%how%source%code%is%stored%creates%the%issue%of%keeping%track%
of%the%data%and%also%knowing%how%it%is%accessible.%
%
Whilst%the%existing%practice%suggests%that%there%are%ample%copies%of%the%majority%of%source%code,%
who%has%access%and%where%it%is,%is%in%itself%an%issue.%%With%copies%of%source%code%being%stored%on%
individual%laptops,%‘Drobo’%NAS%units,%VisualStudio.com%cloud%service,%and%sometimes%with%
research%partners,%who%has%access%to%it%is%very%unclear.%%Without%knowing%who%has%it,%makes%it%
almost%impossible%to%manage%effectively.%
%
The%selection%of%Visual%Studio%and%how%source%code%is%stored%outside%of%it%appears%to%not%have%
been%done%with%the%consideration%of%the%broader%CRCSI%requirements.%%As%a%side%note,%Visual%
Studio%Team%Services%is%ISO%27001:2013%certified.%
%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 27 of 54!
3.2.2 Informal!Technical!Support!Currently%staff’%generally%depend%on%the%knowledge%of%other%staff%for%technical%assistance%in%the%
event%of%difficulties.%%With%a%few%known%‘product%champions’%being%the%informal%‘go%to’.%%This%
creates%the%following%issues;%
• Distraction%from%primary%function%for%the%‘go%to’%individuals%
• Occasional%frustration%if%no%one%around,%or%a%limit%of%knowledge%
• Uncertainty%as%to%how%a%problem%will%get%resolved%
• Staff%creating%inefficient%workLarounds%to%issues%
%
3.3 Data&Protection&
Who%would%benefit%from%having%CRCSI%information?%
3.3.1 Data!Backups!Currently%the%CRCSI%has%no%formal%or%structured%data%backups%beyond%that%inherent%with%the%
Dropbox%service%and%other%cloud%services.%
%
3.3.2 Data!Encryption!Currently%the%CRCSI%has%no%data%encryption%beyond%that%inherent%with%the%Dropbox%architecture%/%
service.%For%those%staff’%that%retain%sensitive%data%on%their%devices,%this%creates%a%possible%issue%in%
the%event%of%device%loss%or%theft.%%This%is%also%a%broader%issue%relating%to%those%staff%whom%take%
devices%internationally.%
%
3.3.3 Dropbox!Folder!Permissions!Existing%Dropbox%folder%permissions%appear%to%have%been%applied%based%on%what%is%deemed%as%
internally%sensitive%to%individuals%based%on%the%job%function.%%This%creates%the%issue%of%many%staff%
having%potentially%unnecessary%access%to%data,%which%they%both%don’t%require%and%are%possibly%
unaware%of%whether%it%contains%externally%sensitive%data.%
This%creates%an%issue%when%taking%a%broader%view%of%cyber%security%and%the%management%and%
protection%of%organizational%data.%
%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 28 of 54!
3.3.4 Dropbox!Logins!Currently%logging%into%Dropbox%only%requires%a%username%and%password.%%Often%these%passwords%
are%nonLcomplex%and%cached%within%the%device.%In%some%instances%staff%were%unsure%of%their%
Dropbox%password,%and%used%the%same%password%for%other%systems/services.%%%
%
This%creates%the%issue%of%a%very%low%level%of%security%to%accessing%the%CRCSI’s%primary%data%storage%
system,%which%is%accessible%from%anywhere.%
%
3.3.5 Personal!Device!Usage!With%the%staff%using%personal%computers%to%access%corporate%data%(email%&%dropbox),%this%
presents%a%number%of%issues.%%Note,%these%issues%are%not%necessarily%consistent%across%the%entire%
organization.%%
%
a. The%absence%and/or%inconsistency%of%Antivirus%and%Antimalware%on%personal%computers.%%
This%creates%an%issue%where%measures%taken%by%the%CRCSI%to%protect%data%on%corporate%
devices%are%not%extending%to%all%devices%used%to%access%sensitive%data.%
%
b. Physical%access%to%personal%devices%is%in%no%way%within%the%control%of%the%CRCSI.%%This%
creates%increased%risk%of%device%compromise%and%data%theft.%
%
c. Use%of%personal%devices%ties%the%CRCSI%to%an%individuals%personal%and%social%profiling%and%
whether%they%are%likely%targets%to%a%personalized%attack.%%Malware%and%Spyware%in%
conjunction%with%‘big%data’%may%identify%individuals%as%possible%personalised%targets%for%
attack,%which%in%turn%may%inadvertently%lead%to%the%CRCSI%becoming%a%target.%%Personal%
devices%may%also%be%an%easy%target%in%a%targeted%attack%to%CRCSI%based%on%personalised%
attacks%from%publicly%available%information%about%individuals%(LinkedIn,%Facebook,%
Meetup%etc).%
%
%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 29 of 54!
3.3.6 Antivirus!and!Antimalware!!Currently%the%CRCSI%has%disparate%and%inconsistent%endpoint%security%software%with%no%visibility%
or%centralized%management%of%the%PC%security%status.%%This%creates%issues%with%both%actual%
protection%of%devices%in%addition%to%an%inability%to%control%and%manage%the%devices%on%an%ongoing%
basis.%
%
3.3.7 No!Restrictions!on!Outgoing!Internet!Traffic!Currently%the%network%is%configured%to%allow%all%traffic%/sessions%originating%from%within%the%
network%to%be%deemed%‘trusted’%by%the%Melbourne%University%network.%%The%issue%that%this%
creates%is%that%should%there%be%malware%inside%the%office%it%can%expand%its%impact%by%creating%a%
connection%to%the%Internet.%
Note:%The%implications%of%changing%or%controlling%this%are%both%expensive%and%onerous.%
%
3.4 Systems&&&Applications&
3.4.1 Mobile!Phones!as!primary!phone!!Many%staff%utilize%personal%mobile%phones%as%their%primary%work%phone%for%communicating%both%
internally%and%externally.%%This%creates%the%issue%of%phone%number%and%user%relationship%retention%
when%staff%leave%the%organization.%%%
Additionally%it%reduces%visibility%to%client%/%partner%interactions%and%creates%potential%silo’s%and%
bottlenecks%within%the%organization.%%%
%
3.4.2 Gmail!Existing%use%of%the%individual%Gmail%accounts%creates%an%environment%that%is%difficult%to%manage%
and%maintain.%%This%usage%also%creates%challenges%relating%to%outgoing%staff%and%the%ongoing%
access%and%management%of%their%email%history.%
%
The%use%of%Gmail%is%broadly%assumed%knowledge%resulting%in%some%staff%unaware%of%features%and%
capabilities%and%creates%inefficiency.%
%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 30 of 54!
Gmail%also%creates%limited%visibility%and%access%to%CRCSI%information%and%data%that%is%stored%in%
individual%mail%files.%%
%
Some%staff%do%not%have%offline%access%to%stored%email%content%and%predominantly%access%Gmail%
via%a%web%browser.%%This%again%creates%an%issue%of%efficiency%in%addition%to%considerations%
regarding%business%continuity.%%
%
There%is%no%effective%Administration%method%for%the%existing%environment.%
%
As%elaborated%below,%Gmail%also%presents%the%issue%of%data%sovereignty.%
%
Access%to%Gmail%when%traveling%in%China%remains%uncertain.%%(As%does%Dropbox,%however%the%data%
remains%available%offline)%
%
3.4.3 Application!updates!&!Patches!Currently%the%CRCSI%has%no%process%or%method%for%updating%applications%(patches%&%version%
upgrades)%on%devices.%%This%creates%a%major%exposure%as%new%vulnerabilities%are%identified%and%
made%public.%%These%vulnerabilities%represent%a%large%number%of%real%world%security%breaches.%%
%
3.4.4 Data!Sovereignty!Existing%cloud%services%in%use%by%the%CRCS%that%are%provided%by%Google%with%Gmail%and%Google%
Docs,%in%addition%to%Dropbox%currently%present%the%issue%of%the%data%being%housed%and%legislated%
within%the%United%States.%This%issue%implies%that%the%CRCSI%data%is%exposed%to%regulation%relating%
to%control,%access,%and%management%of%data%that%is%beyond%Australian%borders.%%%
%
The%US%Patriot%Act%can%force%organisations%to%disclose%data%and%vendors%don’t%have%to%inform%
their%customers%that%private%data%has%been%accessed.%The%CRCSI%should%consider%that%data%will%be%
under%US%jurisdiction,%and%if%wanting%increased%data%security%in%this%context%should%look%for%an%
alternative.%
%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 31 of 54!
Whilst%Dropbox%files%are%encrypted%and%described%by%Dropbox%as%‘heavily%guarded’,%DropBox%data%
centres%are%located%in%the%US.%For%further%information%refer%DB%for%Business%Security%Whitepaper.%%
Standards%Certification%of%Dropbox%in%relation%to%both%Security%and%Data%Protection,%as%published%
on%dropbox.com.%
%
3.4.5 Telephony!System!
The%existing%telephony%system%is%capable%of%providing%complex%and%sophisticated%functionality,%
however%as%the%CRCSI%requirements%change,%or%approaches%commercial%independence%the%
service%provided%by%Melbourne%University%(MU)%may%not%be%flexible%within%the%confines%of%MU%
policy.%%Potentially%unable%to%be%changed%in%a%manner%that%suits%the%CRCSI.%%Examples%may%include%
remote%or%roaming%staff,%follow%the%sun%call%distribution,%call%recording,%contact%center,%or,%3rd%
party%application%integration%(eg.%CRM).%
%
We%suggest%this%be%retained%as%a%future%consideration%as%the%CRCSI%continues%to%evolve.%
%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 32 of 54!
4 Roadmap!Recommendations!@!here’s&what&we&suggest!
Strategy%and%Recommendations%are%outlined%to%provide%the%best%adaptability%and%management%
of%a%constantly%changing%ICT%landscape.%%Seeking%to%best%position%an%organization%to%deal%with;%
• Known%Knowns%
• Known%Unknowns%
• Unknown%Unknowns%
%
The%recommended%actions%are%listed%in%the%following%4%sections;%
• Policy%and%Culture%Recommendations%
• Process%and%Capability%Recommendations%
• Data%Protection%Recommendations%
• Systems%and%Applications%Recommendations%
%
Each%recommendation%below%identifies%a%Title,%Strategic!Roadmap!Area,%Timeline%suggestion,%
and%Recommended!Action.%
%
Timeline%suggestions%have%been%formulated%on%The%Right%IT’s%subjective%view%of%Importance%/%
Urgency%as%a%result%of%considering%the%ease%of%implementation,%exposure%&%importance,%impact%&%
relevance.%%Annex%1%provides%a%matrix%of%the%recommendations%listed%below%and%includes%The%
Right%IT’s%view%of%these%elements.%
%
A%number%of%recommendations%and%outcomes%are%suggested%for%the%CRCSI%relating%to%Security%
and%Risk%regarding%IT%infrastructure,%services,%systems,%and%related%data.%%%
%
Security%concerns%are%largely%orientated%toward%the%ongoing%management%of%sensitive%data,%
including%Intellectual%Property%and%data%relating%to%partners%and%research%stakeholders.%
%
%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 33 of 54!
4.1 Policy&and&Culture&Recommendations&
4.1.1 Password!and!Password!Management!Policy!Roadmap!Areas:!Security%Focused%Culture,%and%Endpoint%&%Application%Access%Security%
Timeline!/!Urgency:!!Q1%2016%
Recommended!Action:%Create%and%implement%a%clear%policy%on%the%creation,%complexity%and%
storage%of%passwords.%%
%
Specific%suggestions%relating%to%this%are;%
• Individual%application%&%computer%passwords%a%minimum%8%character%length%with%
Uppercase,%lowercase,%and%numbers,%or%minimum%15%character%passphrase%
• Administrative%passwords%a%minimum%of%12%character%length%with%Uppercase,%lowercase,%
numbers,%and%special%characters%
• No%familiar%words,%names,%or%dates%contained%within%the%password%
• Different%passwords%for%Computer,%Email,%and%Dropbox%systems%
• Computer,%Email%and%Dropbox%passwords%committed%to%memory%and%not%written%down%
• User%level%passwords%changed%each%6%months%at%a%minimum,%or%immediately%if%shared%
within%anyone%or%if%possibly%known%by%others%
• User%level%passwords%to%be%changed%by%Administrator%immediately%upon%staff%ceasing%
employment%
• Administrative%passwords%changed%each%3%months%at%a%minimum.%
• Not%stored%on%any%device%without%encryption%
• Do%not%use%‘Remember%Password’%features%for%any%system%containing%sensitive%
information.%
%
4.1.2 Personal!Mobile!As!Primary!Phone!Roadmap!Areas:!Security%Focused%Culture,%and%Endpoint%&%Application%Access%Security%
Timeline!/!Urgency:!!Q1%2016%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 34 of 54!
Recommended!Action:%The%creation%/%clarification%of%a%policy%that%considers%the%CRCSI’s%ideals%
regarding%the%use%of%personal%mobiles%for%external%communications,%in%conjunction%with%record%
keeping%and%possible%number%retention%by%the%CRCSI.%%
%
Specific%suggestions%relating%to%this%are;%
• Staff%with%customer%facing%roles%must%surrender%mobile%number%to%the%CRCSI%when%
leaving%the%organization%
• Phones%must%be%backed%up%on%a%weekly%basis%
• Mobile%device%security%measures%will%extend%to%the%deletion%of%phone%data%after%10%failed%
attempts%
• The%use%of%Simple%Passcodes%(4%digit)%is%not%allowed.%Passcodes%must%comply%with%
password%complexity%requirements%
• Notification%requirements%in%the%event%of%device%loss%/%theft%
%
The%further%mid%term%recommendation%is%to%identify%which%roles%within%the%business%reasonably%
require%a%mobile%phone%to%perform%their%function%effectively%and%the%CRCSI%then%provide%them%
with%a%mobile%phone%as%part%of%a%‘corporate%plan’.%
%
4.1.3 Update!Personal!Device!Usage!Policy!Roadmap!Areas:!Security%Focused%Culture,%and%Endpoint%&%Application%Access%Security%
Timeline!/!Urgency:!!Q1%2016%
Recommended!Action:%Further%to%the%above%regarding%personal%mobiles,%it%is%beneficial%to%clarify%
CRCSI%policy%regarding%the%use%of%personal%devices%for%the%purpose%of%accessing%cloud%services%
(including%Dropbox,%Email,%Pipedrive,%Mailchimp).%%
%
Specific%suggestions%relating%to%this%include;%
• Include%Phones,%Tablets,%Personal%/%Private%Computers,%and%Public%Computers%
• Access%to%any%CRCSI%corporate%service%is%discouraged%unless%the%device%adheres%to%or%is%
included%within%the%management%of%the%CRCSI.%Eg%Antivirus%/%Antimalware,%Password%
complexity,%software%patching%etc.%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 35 of 54!
• In%the%event%access%is%required,%to%ensure%that%any%and%all%data%is%deleted%from%the%
computer.%%Including%cookies,%documents%and%files,%and%browser%history.%
%
For%those%individuals%that%the%CRCSI%deems%the%ongoing%use%of%personal%computers%for%accessing%
CRCSI%corporate%services%is%appropriate,%the%following%recommended%security%measures%be%taken%
at%a%minimum;%
• Compliance%with%Password%Policy%
• Installation%of%CRCSI%corporate%endpoint%security%software%(Bitdefender%recommended)%
• Inclusion%of%device%in%patching%and%operating%system%updates%
%
4.1.4 Creating!Security!Focused!Culture!Roadmap!Areas:!Security%Focused%Culture%
Timeline!/!Urgency:!!Q1%2016%and%Ongoing%
Recommended!Action:%%Education,%Education,%Education.%
Providing%staff%with%education%focused%on;%
• Awareness%of%cyber%threats%and%common%attacks%
• Awareness%of%what’s%sensitive%data%&%the%policies%relating%to%it%
• Creating%a%healthy%sense%of%paranoia%
• Understanding%why%many%of%the%planned%changes%are%taking%place%
• How%does%security%relate%to%the%macro%environment%of%CRCSI%and%the%coming%years*%
• Data%distribution%policies%outside%CRCSI%staff%when%‘research%projects’%are%being%reviewed.%
• Increased%policy%communication.%What,%Why,%How.%
o Especially%regarding%management%of%sensitive%data%
%
*An%example%of%this%may%include%a%10%–%15%min%video%from%Peter%/%or%interview%format%to%provide%
the%big%picture,%of%how%CRCSI’%IP%and%Data%is%relevant%beyond%the%dayLtoLday%operations%and%
individual%research%projects.%Easy%deployment%through%Yammer,%Youtube,%Vimeo%etc%
%
4.1.5 Insurance!Requirements!of!Data!Management!Roadmap!Areas:!All.%%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 36 of 54!
Timeline!/!Urgency:!!Immediate%
Recommended!Action:!Review%existing%obligations%and%requirements%relating%to%data%
management,%protection,%backup,%and%duplication%within%existing%insurance%policies.%This%may%
affect%and%influence%both%existing%and%planned%activities.!
%
4.1.6 Define!Policy!on!Data!Management!and!Storage!Roadmap!Areas:!N/A%
Timeline!/!Urgency:!!Q1/2%2016%
Recommended!Action:%Create%a%policy%that%specifically%clarifies%Data%Management%and%Storage,%
including%distribution.%%%
Data%types%that%we%suggest%to%address%specifically%are;%
• GIS%Data%(Riyas%&%Nathan%to%be%primary%influencers)%
• Source%Code%(Riyas%&%Nathan%to%be%primary%influencers)%
• Email%Archiving%
• Data%recovery%/%restore%processes%
• Work%in%progress%
• Collaborative%documents%and%files%
%
4.1.7 Review!Source!Code!Management!Roadmap!Areas:!Security%Focused%Culture,%and%Endpoint%&%Application%Access%Security%
Timeline!/!Urgency:!!Q1%2016%
Recommended!Action:%In%conjunction%with%Riyas%&%Nathan,%review%and%document%the%
management%of%source%code.%Including%the%management%of;%
• Internally%developed%applications%&%data%analysis%tools%
• Development%Systems,%tools%and%services%used%for%application%development%
• Source%Code%shared%with%or%provided%to%3rd%parties%and%research%participants%
• Who%has%access%and%to%what%extent%
%
%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 37 of 54!
4.1.8 ISO!Standard!27001!–!Guiding!Principals!Roadmap!Areas:!Security%Focused%Culture,%and%Future%Considerations%
Timeline!/!Urgency:!!Q3%2016%and%beyond%
Recommended!Action:%To%assist%with%aligning%Information%Security%practices%and%systems%with%
best%practice%the,%it%is%suggested%that%the%CRCSI%considers%using%the%principals%of%ISO/IEC%
27001:2013%(Information%Security%Standard),%as%guiding%principals%for%the%CRCSI.%%%
This%incorporates%the%ongoing%commitment%to%establish,%implement,%maintain%and%continually%
improve%Information%Security%Management.%In%addition%to%providing%both%internal%and%external%
confidence%in%the%way%the%CRCSI%manages%it’s%systems%and%data.%
%
4.1.9 Research!Data!and!Project!Review!Data!Roadmap!Areas:!Security%Focused%Culture,%and%Future%Considerations%
Timeline!/!Urgency:!!Q2%2016%
Recommended!Action:%%The%CRCSI%review%the%structure%of%managing%and%storing%the%Research%
data%to%deem%whether%current%access%and%structure%is%reflective%of%the%sensitivity%of%the%data%
contained%within%and%staff%requirements%for%accessing%the%data.%
%
Note:%The%Defence%Control%Act%2012%may%have%implications%on%research%projects%in%collaboration%
with%international%partners%or%stakeholders.%It%is%suggested%that%these%implications%be%considered%
on%a%‘Project’%basis%in%addition%to%a%known%internal%policy%outlining%guidance%regarding%the%
evaluation%of%the%Act’s%relevance%to%a%project.%
For%additional%information%relating%to%the%relevance%of%the%CRCSI%data%and%projects%and%the%Act,%
refer%https://www.comlaw.gov.au/Details/F2015C00310/Download%and%
https://dsgl.defence.gov.au/Pages/Home.aspx%
%
These%resources%provide%a%specific%list%of%information%and%services%included%within%the%Act,%and%a%
self%assessment%tool%to%determine%if%your%specific%application%or%data%is%controlled%by%the%Act.%
%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 38 of 54!
4.1.10 Document!Sensitivity!Rating!Roadmap!Areas:!Security%Focused%Culture,%and%Endpoint%&%Application%Access%Security%
Timeline!/!Urgency:!!Q1%2016%
Recommended!Action:%Update%the%existing%Document/File%naming%convention%to%include%an%
additional%2%digit%security%rating%identifier.%This%identifier%will%easily%show%the%intended%audience%
in%addition%to%the%sensitivity%of%the%content.%%
A%suggested%approach%to%this%identifies%either%Internal%or%External%audience,%along%with%a%
Sensitivity%Rating%or%Category.%%%
By%way%of%example;%
A%public%notice%may%be%categorized%as%E1.%%E%=%External%facing%content,%%1%=%No%sensitivity%
An%organizational%chart%may%be%I2.%I%=%Internal,%2%=%Low%sensitivity%
%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 39 of 54!
4.2 Process&&&Capability&Recommendations&
4.2.1 New!Systems!or!Applications!Process!Roadmap!Areas:!Future%Considerations%
Timeline!/!Urgency:!!Q3%2016%
Recommended!Action:%Outline%a%process%that%provides%guidance%and%structure%relating%to%new%
Systems%or%Applications.%The%process%should%include;%
• Project%ownership%
• Evaluation%and%Requirement%Scoping%
• Budget%and%Procurement%Authorisation%%
• Deployment%Considerations%
• End%user%Education%and%Training%
%
4.2.2 New!Equipment!Purchasing!Process!Roadmap!Areas:!Future%Considerations%
Timeline!/!Urgency:!!Q1/2%2016%
Recommended!Action:%Outline%a%process%that%provides%guidance%and%structure%relating%to%new%
equipment%and%hardware%for%staff.%The%process%should%include;%
• Estimated%annual%budget%(equipment%refresh)%
• Individual%categorization%of%role%and%specifications%requirements%(Low,%Medium,%High%
specifications%of%PC%hardware%/%software)%
• Standard%PC/Laptop%applications%and%accessories%
• Budget%allocation%and%procurement%authorisation%
%
4.2.3 New!Staff!Entry!&!Exit!Process!Roadmap!Areas:!Future%Considerations%
Timeline!/!Urgency:!!Q2%2016%
Recommended!Action:%Creating%a%repeatable%ICT%related%process%for%the%account%and%system%
user%creation%&%removal%processes%for%both%new%and%exiting%staff.%The%process%should%include%
• New%account%request%process%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 40 of 54!
• Application%and%System%access%&%security%details%
• Email%account%creation%standards%
• Account%removal%checklists%
• Mail%archiving,%and%availability%on%exit%including%new%email%routing%settings%(Ex%Staff)%
%
4.2.4 Increased!End!User!Education!&!Training!Roadmap!Areas:!Migrating%to%Office%365,%and%Future%Considerations%
Timeline!/!Urgency:!!Q1/2%2016%and%ongoing%
Recommended!Action:%Outline%a%process%for%enabling%and%providing%staff%with%additional%training%
and%education%on%the%effective%use%of%systems%and%application.%%The%process%should%include;%
• Estimated%annual%budget%
• Relevant%Systems%and%Applications%included%
• Request%and%approval%
• Awareness%of%availability%
%
4.2.5 Technical!Support!Escalation!Process!&!Partnership!Roadmap!Areas:!Endpoint%&%Application%Access%Security,%and%Future%Considerations%
Timeline!/!Urgency:!!Q1%2016%and%ongoing%
Recommended!Action:!Identify%and%engage%with%an%ICT%technical%services%organization%to%provide%
coordinated%ongoing%assistance%and%support%to%the%CRCSI%and%its%staff.%%
%
4.2.6 Creation!of!Local!PC!Administrator!On!All!Computers!Roadmap!Areas:!Future%Considerations%
Timeline!/!Urgency:!!Q2%2016%
Recommended!Action:%Create%a%common%‘local’%Administrator%account%on%CRCSI%PC’s%and%
Laptops%to%provide%underlying%access%to%the%PC’s%independent%from%the%individual%staff%accounts%
on%the%computers.%This%will%provide%improved%administration%and%management%capabilities%for%
the%computers.%
%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 41 of 54!
4.2.7 Increased!Clarity!on!Defined!Applications!For!Use!Roadmap!Areas:!Future%Considerations,%and%Endpoint%&%Application%Access%Security%
Timeline!/!Urgency:!!Q3%2016%
Recommended!Action:%Outline%and%document%the%CRCSI’s%approved%and%preferred%list%of%
applications%for%use%by%the%staff.%This%assists%in%creating%consistency%and%preventing%‘technology%
islands’%of%unknown%application%and%service%usage.%%%
%
4.2.8 Contact!List!Management!Roadmap!Areas:!Migrating%to%Office%365%
Timeline!/!Urgency:!!Q2%2016%
Recommended!Action:%Utilise%Microsoft%Office%365%to%provide%the%authoritative%source%for%
Contact%Lists%and%their%ongoing%management.%(Currently%some%contact%lists%are%individually%
managed,%others%within%Mailchimp,%and%others%within%Pipedrive).%A%central%authoritative%source%
is%important%for%the%consistency,%visibility,%and%currency%of%contacts%relevant%to%the%CRCSI.%
%
4.2.9 Product!Development!and!Management!Roadmap!Areas:!Future%Considerations%
Timeline!/!Urgency:!!2017%/%18%
Recommended!Action:%As%a%long%term%consideration,%obtaining%Product%Development%and%
Management%capabilities%is%suggested%to%improve%the%commercialization%and%capitalizing%
potential%value%of%source%code%and%associated%IP%as%ICT%assets.%
%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 42 of 54!
4.3 Data&Protection&Recommendations&
4.3.1 2!Step!Verification!/!Authentication!for!Dropbox!Roadmap!Areas:!Endpoint%&%Application%Access%Security,%and%Security%Focused%Culture%
Timeline!/!Urgency:!!Q1%2016%
Recommended!Action:%Plan%and%implement%2%step%verification%for%all%staff%accounts%accessing%
Dropbox.%
%
4.3.2 Review!Dropbox!Folder!Permissions!Roadmap!Areas:!Endpoint%&%Application%Access%Security,%and%Security%Focused%Culture%
Timeline!/!Urgency:!!Q1%2016%
Recommended!Action:%Review%existing%Dropbox%Folder%permissions%with%a%view%of%limiting%
access%to%individual%user%accounts%to%only%those%folders%necessary%to%perform%their%role%
effectively%and%efficiently.%The%purpose%of%this%is%to%limit%data%loss%risk%in%the%event%of%individual%
account%compromise.%%%
%
4.3.3 Implementation!of!Complex!Phone!PIN!/!Passcodes!Roadmap!Areas:!Endpoint%&%Application%Access%Security,%and%Security%Focused%Culture%
Timeline!/!Urgency:!!Q1%2016%
Recommended!Action:%Enforce%the%removal%of%simple%PIN%/%passcodes%use%on%mobile%devices.%
Enforcing%the%use%of%complex%passcodes%in%accordance%with%the%new%Password%Policy.%%
%
4.3.4 Bitdefender!AV!/!AM!Security!Software!on!PCs!Roadmap!Areas:!Endpoint%&%Application%Access%Security%
Timeline!/!Urgency:!!Q1%2016%
Recommended!Action:%%The%implementation%of%Bitdefender%Gravityzone%Endpoint%Security%on%all%
PC’s%/%Laptops.%Bitdefender%offers%best%in%class%Antivirus%and%Antimalware%with%cloud%based%
management.%%With%unparalleled%heuristic%and%performance%architecture,%offers%the%most%
suitable%and%capable%AV%solution%for%the%CRCSI.%
%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 43 of 54!
4.3.5 Activate!Remote!Wipe!Dropbox!Capabilities!Roadmap!Areas:!Endpoint%&%Application%Access%Security%
Timeline!/!Urgency:!!Q1%2016%
Recommended!Action:%%Plan%and%implement%the%use%of%Dropbox’s%Remote%Wipe%capability.%
Including%end%user%education%on%the%use%of%this%and%it’s%purpose.%
%
4.3.6 Laptop!/!PC!Backup!to!Local!NAS!Roadmap!Areas:!Endpoint%&%Application%Access%Security,%and%Future%Considerations%
Timeline!/!Urgency:!!Q2%2016%
Recommended!Action:%Implement%an%automated%backup%of%relevant%Laptop%/%PC’s%when%in%the%
office.%%This%will%provide%faster%and%smoother%recovery%from%device%failure,%loss,%or%data%
corruption.%%
The%recommended%product%for%Windows%operating%systems%is%Veeam%Endpoint%Backup.%This%
Veeam%product%is%free,%supports%bitlocker%(encryption),%and%is%easy%and%flexible%to%deploy.%
%
4.3.7 Office!Backup!of!Dropbox!Data!Roadmap!Areas:!Endpoint%&%Application%Access%Security,%and%Future%Considerations%
Timeline!/!Urgency:!!Q2%2016%
Recommended!Action:%%Automate%a%periodic%onsite%point%in%time%snapshot%/%backup%of%all%
Dropbox%data%and%files.%This%is%suggested%to%be%done%in%conjunction%with%4.3.6%Laptop%/%PC%Backup%
to%Local%NAS.%%
%
4.3.8 Periodic!Dropbox!Administrator!Password!Change!&!Roll!Review!!Roadmap!Areas:!Endpoint%&%Application%Access%Security,%and%Security%Focused%Culture%
Timeline!/!Urgency:!!Q1%2016%and%ongoing%
Recommended!Action:%%Change%the%Dropbox%Team%Administrator%password%at%least%every%3%
months.%%Additionally%incorporating%a%3%month%periodic%review%of%role%&%folder%permission%
allocations%to%all%user%accounts.%
4.3.9 Device!Hardening!Roadmap!Areas:!Endpoint%&%Application%Access%Security,%and%Future%Considerations%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 44 of 54!
Timeline!/!Urgency:!!Q2%2016%
Recommended!Action:%%Plan%and%implement%changes%to%harden%both%phones%and%computers%for%
staff%that%work%remotely%or%travel%away%from%the%office.%This%recommendation%does%incorporate%
other%specific%recommendations%within%this%review,%and%includes;%
• Encryption%of%phones%and%laptops%where%appropriate%
• Implementation%of%complex%passcodes%and%passphrases%
• 4.3.10%Implement%Auto%Wipe%of%Mobile%Phones%(with%Microsoft%Office%365)%
• 4.3.5%Activate%Remote%Wipe%Dropbox%Capabilities%
• 4.4.1%Application%Updates%&%Patching%
• Deactivating%Windows%File%&%Printer%sharing%where%not%necessary%
• Setting%auto%lock%to%very%short%time%limit.%
%
4.3.10 Implement!Auto!Wipe!of!Mobile!Phones!Roadmap!Areas:!Endpoint%&%Application%Access%Security,%and%Microsoft%Office%365%
Timeline!/!Urgency:!!Q2%2016%
Recommended!Action:%To%further%protect%data%loss%risk%in%the%event%of%lost%or%stolen%phones.%
Plan,%educate,%and%implement%the%remote%/%auto%wipe%capabilities%relating%to%mobile%phones.%
Including%the%use%of%iPhones%‘Auto%Erase’%feature%after%10%failed%attempts%and%Andriod’s%similar%
capability.%Utilise%‘Remote%Wipe’%capabilities%within%Microsoft%Office%365%‘Mobile%Device%
Management’%(MDM)%feature%set.%
%
4.3.11 Reviewing!Application!Whitelisting!and!restricting!Outgoing!Internet!Traffic!Roadmap!Areas:!Future%Considerations%
Timeline!/!Urgency:!!2017%&%2018%
Recommended!Action:%Planning%for%a%future%review%of%the%suitability%of%Implementing%application%
whitelisting%and%restricting%outgoing%Internet%traffic.%These%2%items%represent%highly%effective%
cyber%protection%measures,%and%we%suggest%considering%the%pro’s%/%cons%and%expense%and%also%
the%potential%exposure%to%the%CRCSI%in%the%future.%%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 45 of 54!
Note:%The%implications%of%changing%or%controlling%this%are%both%expensive%and%onerous.%Also%
whilst%utilizing%the%Melbourne%University%network%and%internet%services,%the%restriction%of%
outgoing%internet%traffic%potentially%not%possible.%%
%
4.4 Systems&and&Applications&Recommendations&
4.4.1 Migration!to!Office!365!for!Email!&!Contact!Management!
Roadmap!Areas:!Migrating%to%Office%365%
Timeline!/!Urgency:!!Q1%2016%
Recommended!Action:%As%discussed%in%the%Strategic%Roadmap%Summary,%this%recommendation%
delivers%a%range%of%benefits%and%addresses%a%number%of%existing%issues.%%The%CRCSI%may%be%eligible%
for%Microsoft’s%Not%For%Profit%Donation%that%results%in%highly%discounted%rates%for%Microsoft%Office%
365.%Please%refer%to%the%Strategic%Roadmap%Summary%for%additional%information%relating%to%this%
recommendation.%
%
4.4.2 Application!Updates!&!Patching!
Roadmap!Areas:!Endpoint%&%Application%Access%Security%
Timeline!/!Urgency:!!Q1%2016%
Recommended!Action:%Implement%a%process%for%identifying%software%updates%and%security%
patches%relating%to%PC’s%and%Laptops,%in%addition%to%a%process%for%ensuring%they%are%applied%in%a%
timely%and%consistent%fashion.%This%recommendation%would%be%suitably%incorporated%into%the%
scope%of%4.2.5!Technical!Support!Escalation!Process!&!Partnership*
%
4.4.3 Review!Group!Collaboration!Requirements!
Roadmap!Areas:!Future%Consideration%
Timeline!/!Urgency:!!Q3%2016%
Recommended!Action:%The%issues%identified%relating%to%the%use%of%collaboration%and%group%
communication%tools%would%benefit%from%a%review%of%CRCSI%requirements%and%possible%
improvements%to%increase%productivity%and%efficiency.%Many%products%are%available%to%provide%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 46 of 54!
improved%group%collaboration%and%communication%incorporating%live%document%editing,%voice%&%
video%conferencing,%screen%sharing%and%presenting.%%If%the%CRCSI%are%eligible%for%Microsoft%Office%
365%Non%Profit%pricing,%the%suite%of%collaboration%and%conferencing%tools%may%be%highly%
favourable%and%should%be%considered.%
%
4.4.4 Evaluate!Cloud!Based!Financial!System!
Roadmap!Areas:!Future%Consideration%
Timeline!/!Urgency:!!Q4%2016%
Recommended!Action:%Inline%with%the%broader%trend%of%moving%all%core%services%to%cloud%based%
systems,%the%existing%Tensia%equipment%and%service%is%recommended%for%review.%At%present%the%
system%is%only%available%within%the%office,%and%whilst%provided%as%a%managed%service,%is%dependent%
on%the%physical%server%located%in%the%office.%Cloud%based%accounting%/%financials%provide%flexible%
and%feature%rich%alternatives%that%will%provide%the%CRCSI%with%additional%flexibility%and%potentially%
increased%efficiencies%with%existing%accounting%/%accounts%processes.%%
%
4.4.5 CRM!Project!
Roadmap!Areas:!CRM%Project,%and%Future%Consideration%
Timeline!/!Urgency:!!Q2/3%2016%
Recommended!Action:%As%discussed%in%the%Strategic%Roadmap%Summary,%this%recommendation%
delivers%a%range%of%benefits%and%addresses%a%number%of%existing%issues.%%Please%refer%to%the%
Strategic%Roadmap%Summary%for%additional%details%relating%to%this%recommendation.%
%
4.4.6 Network!Strategy!Post!Melbourne!University!
Roadmap!Areas:!Future%Consideration%
Timeline!/!Urgency:!!2017%
Recommended!Action:%As%the%CRCSI%plans%for%the%transition%to%a%private%equity%organization,%the%
future%arrangements%for%alternative%premises%may%not%include%the%use%of%existing%Network%
services%provided%by%Melbourne%University.%%We%recommend%that%the%CRCSI%budget%and%plan%for%
this%change.%Including%also%a%review%of%the%business%requirements%and%ideals%in%order%to%influence%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 47 of 54!
selection%of%premises%to%include%the%ability%and%cost%effective%access%to%high%capacity%Internet%
services.%The%planning%of%the%Network%Strategy%should%incorporate;%
• Internet%capacity%requirements%and%ideals%
• Network%infrastructure%including%LAN%&%WLAN%
• Boundary%Security%requirements%and%related%Security%Infrastructure%
• Telephony%and%Video%functional%requirements%
• Project%ownership%and%relocation%plans%
%
4.4.7 Remote!Access!to!GIS!Data!
Roadmap!Areas:!Future%Consideration%
Timeline!/!Urgency:!!Q2/3%2016%
Recommended!Action:%At%present%access%to%the%GIS%data%sets%at%the%CRCSI%are%only%available%
when%in%the%office,%or%with%the%use%of%portable%disk%drives%to%transport%partial%data%sets%only.%This%
creates%inefficiencies%at%times%and%also%results%in%increased%management%and%tracking%of%data%
locations.%We%recommend%that%in%conjunction%with%recommendation%4.4.8%Corporate!File!
Systems!and!Non!GIS!Data!below,%the%CRCSI%considers%a%review%of%the%ideals%relating%to%the%
management,%protection,%and%housing%of%the%GIS%Data%with%a%view%to%review%Australian%based%
cloud%services.%%This%would%provide%increased%capabilities%relating%to%
• Accessing%cloud%computing%capacity%for%short%term%very%high%processing%requirements%
when%running%data%analysis%and%modeling.%%
• Geographic%redundancy%of%data%between%Melbourne%&%Sydney%
• Access%to%the%data%when%at%partner%locations,%in%addition%to%flexible%&%granular%
collaboration%and%3rd%party%access%when%appropriate%
%
4.4.8 Corporate!File!Systems!and!Non!GIS!Data!
Roadmap!Areas:!Future%Consideration%
Timeline!/!Urgency:!!Q2/3%2016%
Recommended!Action:%We%recommend%the%CRCSI%review%whether%Dropbox%meets%the%security%
needs%of%the%CRCSI%based%on%the%flexibility%of%folder%permissions,%and%the%issue%of%data%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI!Information!Technology!Strategic!Roadmap!–!January!2016! Page 48 of 54!
sovereignty.%The%CRCSI%should%consider%whether%Australian%located%Microsoft%Azure%(or%similar)%
services%are%more%suitable%for%it’s%business%needs%and%it’s%strategic%objectives.%As%mentioned%
above,%this%recommendation%and%review%would%be%suitable%to%perform%in%conjunction%with%
recommendation%4.4.7!Remote!Access!to!GID!Data%
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI%Information%Technology%Strategic%Roadmap%–%January%2016% Page 49 of 54%
5 Annex&1&(&Recommendations&Matrix&
Ref& Specific&Recommendation& Strategic&Roadmap&Area& Suggested&
Timeline&
Implement
ation&Effort&
Exposure&&&
Importance&
Impact&&&
Relevance&
! Policy'and'Culture'Recommendations' ' ! ! ! !4.1.1& Password!and!Password!Management!Policy! Endpoint!&!Application!Access!Security! Q1!2016! Low! High! High!4.1.2& Personal!Mobile!As!Primary!Phone! Endpoint!&!Application!Access!Security! Q1!2016! Low! Med! Med!4.1.3& Update!Personal!Device!Usage!Policy! Endpoint!&!Application!Access!Security! Q1!2016! Med! Med! Med!4.1.4& Creating!Security!Focused!Culture! Security!Focused!Culture! Q1!2016!+! Med! Med! Med!4.1.5& Insurance!Requirements!of!Data!Management! All! Immediate! Low! Med! Low!4.1.6& Define!Policy!on!Data!Management!and!Storage! N/A! Q1/2!2016! Low! Low! Med!4.1.7& Review!Source!Code!Management! Endpoint!&!Application!Access!Security! Q1!2016! Low! Med! Low!4.1.8& ISO!Standard!27001!–!Guiding!Principals! Future!Considerations! Q3!2016!+! Med! Low! Med!4.1.9& Research!Data!and!Project!Review!Data! Future!Considerations! Q3!2016!+! Low! Med! Low!4.1.10& Document!Sensitivity!Rating! Security!Focused!Culture! Q1!2016! Low! Low! Low!! Process'&'Capability'Recommendations' ' ! ! ! !4.2.1& New!Systems!or!Applications!Process! Future!Considerations! Q3!2016! Low! Low! Med!4.2.2& New!Equipment!Purchasing!Process! Future!Considerations! Q1/2!2016! Low! Low! Low!4.2.3& New!Staff!Entry!&!Exit!Process! Future!Considerations! Q2!2016! Low! Low! Med!4.2.4& Increased!End!User!Education!&!Training! Future!Considerations! Q1/2!2016! Med! Low! Low!4.2.5& Technical!Support!Escalation!Process!&!Partnership! Endpoint!&!Application!Access!Security! Q1!2016!+! Med! Low! Med!4.2.6& Creation!of!Local!PC!Administrator!On!All!Computers! Future!Considerations! Q2!2016! Med! Low! Low!4.2.7& Increased!Clarity!on!Defined!Applications!For!Use! Future!Considerations! Q3!2016! Low! Low! Low!4.2.8& Contact!List!Management! Migration!to!Office!365! Q2!2016! Med! Low! Low!4.2.9& Product!Development!and!Management! N/A! ! n/a! n/a! n/a!! Data'Protection'Recommendations' ' ! ! ! !4.3.1& 2!Step!Verification!/!Authentication!for!Dropbox! Endpoint!&!Application!Access!Security! Q1!2016! Med! High! High!4.3.2& Review!Dropbox!Folder!Permissions! Endpoint!&!Application!Access!Security! Q1!2016! Low! Med! Med!4.3.3& Implementation!of!Complex!Phone!PIN!/!Passcodes! Endpoint!&!Application!Access!Security! Q1!2016! Low! Med! Med!4.3.4& Bitdefender!AV!/!AM!Security!Software!on!PCs! Endpoint!&!Application!Access!Security! Q1!2016! Med! High! High!
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI%Information%Technology%Strategic%Roadmap%–%January%2016% Page 50 of 54%
4.3.5& Activate!Remote!Wipe!Dropbox!Capabilities! Endpoint!&!Application!Access!Security! Q1!2016! Low! Med! Med!4.3.6& Laptop!/!PC!Backup!to!Local!NAS! Future!Considerations! Q2!2016! Med! Low! Med!4.3.7& Office!Backup!of!Dropbox!Data! Future!Considerations! Q2!2016! Low! med! Low!4.3.8& Periodic!Dropbox!Administrator!Password!Change!&!
Roll!Review!Endpoint!&!Application!Access!Security! Q1!2016!+! Low! High! Low!
4.3.9& Device!Hardening! Endpoint!&!Application!Access!Security! Q2!2016! Med! Med! Med!4.3.10& Implement!Auto!Wipe!of!Mobile!Phones! Migration!to!Office!365! ! Low! Med! Low!4.3.11& Reviewing!Application!Whitelisting!and!restricting!
Outgoing!Internet!Traffic!Future!Considerations! 2017!+! High! Low! Low!
! Systems'and'Applications'Recommendations' ' ! ! ! !4.4.1& Migration!to!Office!365!for!Email!&!Contact!
Management!Migration!to!Office!365! Q1!2016! High! Med! High!
4.4.2& Application!Updates!&!Patching! Endpoint!&!Application!Access!Security! Q1!2016! Med! Med! Med!4.4.3& Review!Group!Collaboration!Requirements! Future!Considerations! Q3!2016! Med! Low! Low!4.4.4& Evaluate!Cloud!Based!Financial!System! Future!Considerations! Q4!2016! High! Low! Med!4.4.5& CRM!Project! CRM!Project! Q2/3!2016! High! Med! Med!4.4.6& Network!Strategy!Post!Melbourne!University! Future!Considerations! 2017!+! High! Med! Med!4.4.7& Remote!Access!to!GIS!Data! Future!Considerations! Q2/3!2016! High! Low! Med!4.4.8& Corporate!File!Systems!and!Non!GIS!Data! Future!Considerations! Q2/3!2016! High! Low! Med!!
!
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI%Information%Technology%Strategic%Roadmap%–%January%2016% Page 51 of 54%
6 Annex&2&–&Department&of&Defence&CSOC&–&Top&35&Strategies&to&Mitigate&Targeted&Cyber&Intrusions&
This!list!as!published!by!the!Department!of!Defence,!updated!Feb!2014!and!how!the!existing!CRCSI!infrastructure!and!services!perform.!
Ranking& Mitigation&Strategy& Current&
Compliance&
Service&
Realm&
Planned&
Compliance&
Roadmap&Reference/&Note&
1& Application!Whitelisting! No! CRCSI! No! Future!Consideration!
2& Patch!Applications! No! CRCSI! Yes!Endpoint!&!Application!Access!Security!
3& Patch!Operating!System!Vulnerabilities! MU!_!Yes! CRCSI!&!MU! Yes!Endpoint!&!Application!Access!Security!
4& Restrict!Administration!Privileges! MU!_!Yes! CRCSI!&!MU! No! Not!planned!for!CRCSI!
5& User!application!Configuration!Hardening! Unknown! CRCSI! Yes!Endpoint!&!Application!Access!Security!
6& Automated!dynamic!analysis! MU!_!Yes! CRCSI!&!MU! Yes!Endpoint!&!Application!Access!Security!
7& Operating!system!generic!exploit!mitigation! No! CRCSI! No! Not!planned!for!CRCSI!
8& Host_based!Intrusion!Detection/Prevention! No! CRCSI! Yes!Endpoint!&!Application!Access!Security!
9& Disbale!local!administrator!accounts! No! CRCSI! No! Not!planned!for!CRCSI!10& Network!segmentation!and!segregation! Yes! MU! ! !11& Multi_factor!authentication! No! CRCSI! Yes! Office!365!&!Dropbox!planned!12& Software!based!application!firewall! Yes! MU! ! !13& Software!based!application!firewall!_!blocking!outgoing!traffic! No! MU! No! MU!defined!network!function!
14& Non_persistent!virtualised!sandbox!trusted!operating!environment! No! CRCSI! Yes!Endpoint!&!Application!Access!Security!
15& Centralised!and!time_synchronised!logging! No! CRCSI! No! Not!planned!for!CRCSI!16& Centralised!and!time_synchronised!logging!network!events! Yes! MU! ! !17& Email!content!filtering! Assumed!Yes! Google! Yes! Migrating!to!Office!365!18& Web!content!filtering! Yes! MU! ! !
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI%Information%Technology%Strategic%Roadmap%–%January%2016% Page 52 of 54%
19& Web!domain!whitelisting!for!all!domains! No! MU! No! MU!defined!network!function!20& Block!spoofed!emails! Assumed!Yes! Google! Yes! Migrating!to!Office!365!21& Workstation!and!server!configuration!management! No! CRCSI! No! Not!planned!for!CRCSI!
22& Antivirus!Software!running!heuristics! No! CRCSI! Yes!Endpoint!&!Application!Access!Security!
23& Deny!direct!internet!access!from!workstations! No! MU! No! MU!defined!network!function!24& Server!application!configuration!hardening! N/A! ! ! !
25& Enforce!strong!passphrase!policy! No! CRCSI! Yes!Endpoint!&!Application!Access!Security!
26& Removable!and!portable!media!control! No! CRCSI! No! Not!planned!for!CRCSI!27& Restrict!access!to!Server!Message!Blocking!and!NetBIOS! No! CRCSI! No! Not!planned!for!CRCSI!28& User!Education! No! CRCSI! Yes! Security!Focused!Culture!
29& Workstation!inspection!of!Microsoft!Office!files! Unknown! CRCSI! Yes!Endpoint!&!Application!Access!Security!
30& Signature!based!Antivus!software! Yes! CRCSI! Yes!Endpoint!&!Application!Access!Security!
31& TLS!encryption!between!email!servers! N/A! ! ! !32& Block!attempts!to!access!websites!by!their!IP!address! No! MU! No! MU!defined!network!function!33& Network!based!Intrusion!Detection!/!Prevention! Yes! MU! ! !34& Gateway!blacklisting! No! MU! No! MU!defined!network!function!35& Capture!Network!Traffic! Yes! MU! ! !!
ASIO!>!Australian!Cyber!Security!Centre!!_!Key'Publication'>!DoD!>!Australian!Signals!Directorate!>!Cyber!Security!Operations!Centre!!
Full!document!(summary)!available!at!http://www.asd.gov.au/publications/Mitigation_Strategies_2014.pdf!
!
!
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI%Information%Technology%Strategic%Roadmap%–%January%2016% Page 53 of 54%
!
7 Annex&3&–&Existing&CRCSI&Risk&Management&Controls&
!As!outlined!within!the!CRCSI!Risk%Management%Plan%&%Register%V1.4!(May2015)!there!are!existing!controls!in!place!that!relate!to!IT!risk!management.!!These!have!been!included!for!reference!purposes!and!provide!additional!context!regarding!findings!and!recommendations!from!the!review.!!!‘Intellectual%property%not%protected%or%not%properly%commercialised’!(Asset!Management!3.2)!has!been!identified!with!the!following!existing!controls!as;!
I IP!register!and!IP!Policy!guidelines!include!publishing!process!I Experienced!Project!leaders!I Well!documented!contracts!I Project!Leaders!manual!and!Utilisation!Plans!developed!
!Staff!geographic!dependency!on!office!location!risk!is!identified!in!‘Damage%and/or%destruction%to%business%premises%so%that%staff%are%unable%to%work%there%(business%continuity%risk)’!(Asset!Management!3.7).!Existing!controls!are;!
I adequate!insurance!policies!in!place!I Business!Continuity!Plan!reviewed!and!updated!annually!
!For!the!management!and!mitigation!of!‘Information%Technology%catastrophic%failure%and%loss%of%research%in%participants’!(Research!4.9)!are;!
I Individual!researchers!to!ensure!offsite!backup!and!computing!redundancy!I Provision!of!IT!support!and!institutional!policies!or!research!providers!I Project!Leaders!manual!
!For!the!management!and!mitigation!of!‘Information%Technology%catastrophic%failure%and%loss%of%corporate%information%(business%continuity%risk)’!(Administration!5.4)!are;!
I Daily!offsite!backup!and!computing!redundancy!I Admin!staff!located!offsite!to!ensure!offsite!backup!and!computing!redundancy!I Provision!of!IT!Support!and!institutional!policies!at!Head!Office!I Password!plan!
!For!the!management!and!mitigation!of!‘Accounting%software%failure%and%loss%of%information%(business%continuity%risk)’!(Administration!5.5)!are;!
I Software!backed!up!daily!I Commercial!grade!software!
CRCSI Information Technology Strategic Roadmap January 2016
27/01/2016
CRCSI%Information%Technology%Strategic%Roadmap%–%January%2016% Page 54 of 54%
I Space!need!nonIspecialised!with!multiIlocation!options!I Outsourced!payroll!data!I Business!Continuity!Plan!and!disaster!recovery!plan!I Data!backed!up!remotely!on!a!daily!basis!using!Sage!Data!Secure!
!For!the!management!and!mitigation!of!‘External%–%Risk%of%cyber%crime%including%theft%of,%misuse%and%or%serious%damage%to%digital%records’!(Administration!5.10)!are;!
I Spam!filters,!anti!virus!software!&!firewalls!for!eImail!I Encrypted!data!transfer!and!storage!process!for!Admin!files!(stored!in!Dropbox)!and!
Accounting!files!stored!with!Sage!Data!Secure!!For!the!management!and!mitigation!of!‘Internal%–%Risk%of%cyber%crime%including%theft%of,%misuse%and%or%serious%damage%to%digital%records’!(Administration!5.11)!are;!
I Spam!filers,!anti!virus!software!&!firewalls!for!eImail!I Access!controls!on!who!can!access!corporate!files!I Exist!checklists!to!ensure!access!removed!for!staff!who!leave!I Devices!containing!(laptops!etc)!with!corporate!information!not!taken!on!overseas!
business!trips!to!certain!countries.!!For!the!management!and!mitigation!of!‘An%employee(s)%of%a%CRCSI%participant%acts%to%damage%the%reputation%of%the%CRCSI’!(External!Relations!6.5)!are;!
I Media!Protocols!in!place!I Regular!participant!surveys!conducted!to!assess!satisfaction!I Immediate!attention!by!CEO!and!executive!I Social!media!guidelines!developed!I Regular!participant!surveys!conducted!to!assess!satisfaction!
!