Case StudyThe Treasury
Data Classification & Risk Assessment
MXA was engaged by the Treasury to perform a risk assessment of a cloud-based analysis tool. This assessment included investigation of the data that was to be ingested by the tool, and an overall assessment of the Data Classification against the Australian Government PSPF.
The Treasury CFO division (CFOD) was seeking to use a cloud-based financial analysis tool to assist with processing and analysing financial and payroll data which involved data processing using external resources. The purpose of using this tool was to both reduce the burden of financial analysis away from CFOD staff, and to increase the quality of data insights achieved through financial analysis practices.
Before the Treasury could make a decision to use the tool, they required an understanding of the sensitivity of the data that was to be analysed, as well as any implications and risks of processing that data through a cloud based external tool. This was an opportunity for the Treasury to establish a standard framework for assessing software and tools that use potentially sensitive data in the future. In assessing the cloud-based tool MXA helped to define a methodological approach that Treasury could use for assessing future software.
MXA performed a comprehensive assessment of both the financial data Treasury was proposing to analyse in the cloud and the cloud financial analysis tool. We engaged with the business area looking to use this tool to identify their requirements and gather information. We then held workshops with relevant technical teams within the Treasury to understand the current data and the security and privacy implications. We also engaged the Vendor to determine the solution context, details, risks and compliance with government standards.
Assessment was performed against a broad range of relevant government standards including:
- Whole of Government Hosting Strategy
- Supply chain, sovereignty, principles of hosting
- Security Classification
- Limited assessment against ASD Cyber Supply Chain Risk Management Guidance
- Privacy Act and Privacy Principles
- ACSC Cloud Computing Requirements
- Agency Risk Appetite
- Office of the Australian Information Commissioner (OAIC)
- Notifiable Data Breaches Scheme
Outcome & Benefits
MXA classified the data as official sensitive to provide the Treasury with guidance on their compliance requirements. We discovered and highlighted the risks of uploading data and using the financial analysis tool specifically to personal and organisational privacy and provided clear recommendations of ways to mitigate or treat these risks but limiting the use of sensitive data without reducing the business value of financial analysis. As part of the engagement we also communicated these findings and recommendation to Treasury stakeholders to ensure they understood the impact of the tool on their data risk profile.
This provided the Treasury with a clear understanding of how the data should be handled against the PSPF and provided evidence and advice about their compliance with other relevant government standards (e.g. privacy principles and ISM) which in turn provided the Treasury security team with inputs to fulfil their security requirements. Our report also provided a framework for which future assessments for other services could be made under a standard methodology.