IRAP Assessor - Canberra (as required, 12-18 months)
Our business/system owner is seeking an IRAP assessor (Embedded Assessor) to support their progression through the assessment process working in collaboration with Cyber Security Assessments & Authorisation (CSAA) within Defence Cyber and Information Assurance Branch (DCIAB). If shortlisted DCIAB will independently validate that you are suitably qualified, experienced, and aligned with Defence expectations.
DCIAB will be responsible for conducting security assessments and have established a framework to evaluate and appoint assessors to perform assessments on their behalf. This process ensures that individuals meet the eligibility, suitability, and experience requirements necessary to fulfil the obligations of the DCIAB assessment function, in alignment with the PSPF, DSPF and other internal governance requirements. The process broadly consists of the following steps:
* Validate basic eligibility (e.g. authorised procurement, clearance)
* Candidate submits Conflict of Interest (AF220 – Defence Conflict of Interest Declaration)
* CSAA reviews candidate resume and qualifications
* CSAA perform interview with candidate (e.g. validate the expertise, assess communication skills, and gauge their approach to security assessments)
* CSAA endorses/appoints embedded assessor (this is wrapped up in an Appointment Letter)
DCIAB retains technical control of the assessment function. Embedded assessors operate under DCIAB authority and are expected to carry out assessments to the standard they prescribe. All outputs are subject to peer review and acceptance processes, and DCIAB reserve the right to revoke an appointment if performance does not align with our requirements. DCIAB also retain the right to direct rework or modification of deliverables as required.
DCIAB preferred cyber security professional profile:
* Meets or exceeds the baseline standards of the ASD IRAP. The ideal candidate is either an ASD-endorsed IRAP Assessor or a professional with equivalent qualifications and experience.
* Have practical knowledge of the Information Security Manual (ISM), related Defence security policy, and knowledge of the Capability Lifecycle (e.g. One Defence Capability System, Golden Thread, and Fundamental Inputs to Capability).
* Hands-on experience in conducting ICT security assessments or similar security/risk engagements
* Strong professional conduct, integrity, and communication abilities. They should be adept at interacting with a range of stakeholders (from technical staff to senior executives), explaining security risks and recommendations clearly, and producing well-written, actionable reports.
Of note, Conflict of interest circumstances are those which affect a security assessor’s ability to perform their work or fulfil their responsibilities with impartiality. Circumstances that might influence the security assessor’s provision of services includes:
* personal relationships
* interests, or
* corporate affiliations.
It is also considered a conflict of interest, should an assessment be performed on a system where the security assessor, or another party (with a personal relationship, interest or corporate affiliation to the security assessor) has direct influence over the system. This influence includes but is not limited to the development, ownership or update of system components, documentation, mitigation advice, or implementation guidance they may have taken upon the system. This applies even if the work was completed through a separate reporting structure, difference in physical locations, or point in time in which those activities were undertaken.
Should this role be of interest to you we look forward to receiving your detailed resume outlining your IRAP Assessment experience.