Robyn Frye of Workday explains what a recently completed IRAP assessment means for public sector organisations in Australia and outlines how we are building our capabilities across the region.
Workday has completed an Information Security Registered Assessor Program (IRAP) assessment that validates how our security controls and technologies protect data to Australian Government standards. By completing an IRAP assessment, we can help minimise risk for public sector organisations that process and store data in the Workday environment.
To provide clarity on data security, the IRAP program process, and how we can manage citizen data and risk appropriately, Robyn Frye, Vice President, Enterprise Technology Compliance, Workday, and Mathew Graham from Workday’s Global Trust Office, answer the top questions about Workday’s IRAP assessment.
Unfortunately, public sector organisations that deal with sensitive data–including citizen information–face an increasing number of cyberattacks that are becoming more sophisticated. In this evolving landscape, organisations look to trusted suppliers like Workday to help secure data and stay abreast of security trends. We–and other suppliers–must comply with strict regulations around the capture, storage, use, and protection of data. At Workday, we’re proactively adopting frameworks and implementing controls to raise the bar on security and assure organisations in the public sector and other industries that we handle data safely and appropriately.
In Australia, the Information Security Registered Assessor Program (IRAP) and the Information Security Manual (ISM) are key to the government’s cybersecurity defences. By completing an IRAP assessment, we can help minimise risk for public sector organisations that process and store data in the Workday environment. Furthermore, with IRAP, we can speak the language of, and demonstrate our commitment to, the Australian public sector market.
By completing an IRAP assessment, we can help minimise risk for public sector organisations that process and store data in the Workday environment. Furthermore, with IRAP, we can speak the language of, and demonstrate our commitment to, the Australian public sector market.
These developments are complementary and, combined, provide extra assurance to public sector organisations of our ability to comply with government requirements and standards. While IRAP covers ICT security, the DTA manages ICT procurement on behalf of the Australian Government, including the establishment of marketplaces, panels, and agreements to simplify selling digital products and services to the government.
Because appointment to the DTA Cloud Marketplace preceded our IRAP assessment, we undertook extensive work through the submission process to demonstrate our data security model.
We started work on our IRAP assessment in February 2019 with an external review of our security posture. This review provided a platform to build on our existing controls and policies to meet IRAP requirements.
The Australian Government Protective Security Policy Framework has four classifications–OFFICIAL, PROTECTED, SECRET and TOP SECRET. We initially planned to seek assessment to OFFICIAL level, but our diligence in keeping customer data safe at Workday meant our cloud environment was already closer to PROTECTED–the highest classification available to a public cloud service. This prompted us to work towards the higher classification. Our IRAP assessment work also received a boost when Workday announced a new AWS region in Australia. AWS has achieved IRAP PROTECTED level assessment, limiting the IRAP obligations Workday needs to maintain and have assessed.
The assessor began the process with a written evaluation of our processes, before moving to a technical assessment incorporating deep dive interviews with our service, compliance and legal teams, and a review of the AWS PROTECTED assessment environment.
The process entailed extensive collaboration across multiple teams in the Workday business, including production, infrastructure, and business technology. The numbers reveal the scale of the work involved –we tested 570 in-scope controls covering more than 22 control sets, spanning topics such as database systems, system hardening and cryptography, while our subject matter experts supported 21 technical walkthroughs and workshops. In addition, we submitted 320 pieces of evidence for the external assessor’s review and evaluation.
IRAP is the 'tip of the spear' in interacting with Australian public sector organisations. 'What is your IRAP assessment status?' is generally one of the first questions the teams in these organisations ask us and the assessment is a bar we simply had to clear to work with highly regulated organisations managing very sensitive workloads.
Within Australia, IRAP is viewed as a gold-standard risk-based assessment program across the public sector, as well as financial services, primary industries, health care and other regulated industries. The program provides a process for the independent assessment of a system’s security against Australian government policies and guidelines.
Under IRAP, Australian Signals Directorate (ASD)-certified public and private sector assessors review the security posture of organisations like Workday to identify risks and suggest mitigation measures. These assessors are qualified in Information and Communications Technology, security assessment and risk management and have a detailed knowledge of the ISM, which details a framework designed to help organisations protect against cyber threats. Overall, IRAP aims to secure industry and Australian Government systems and data.
The IRAP assessment means Australian public service organisations can store workloads up to PROTECTED–including OFFICIAL–on Workday HCM, Financial Management, Analytics, Talent Management, Workforce Management and Workday Adaptive Planning hosted in AWS Australia. Most importantly, it means Workday has passed a rigorous assessment process incorporating hundreds of hours of poring over evidence, participating in deeply technical interviews, and proving our security reaches Australian Government standards.
IRAP is the ‘tip of the spear’ in interacting with Australian public sector organisations. ‘What is your IRAP assessment status?’ is generally one of the first questions the teams in these organisations ask us and the assessment is a bar we simply had to clear to work with highly regulated organisations managing very sensitive workloads.
With the assessment in place, we can assure organisations that we manage citizen data appropriately and help them manage the risk involved. With our support and guidance, Workday customers and prospects can review the IRAP documentation and make their own risk-based decisions based on the assessment findings.
We’re committed now to maintaining the IRAP assessment over the long term and conducting external assessments every 24 months at a minimum. We’ll also conduct regular assessments of our applications and infrastructure against updates to the ISM, that incorporate the latest government guidance about threats and mitigations, and typically take place every one to three months.
An IRAP assessment is one of the most detailed and complex programs a business like ours can embark on. While the assessment demands a big commitment of time, it gave us another lens on our security environment we could use to make changes or updates in the service of constant improvement.
At Workday, we’ve always focused on data security and compliance, as demonstrated by our existing certifications and assessments. We’re continuing to invest in trust in the Asia-Pacific region and Japan and build our understanding of the nuances of individual markets by adding skilled team members in the region. This complements our ongoing capability development in North America and Europe.
Overall, we continue to look locally and serve globally implementing the security controls, frameworks, and assessments public sector, and commercial, customers across the region need to use our powerful finance, human resources, and workforce management applications.
More Reading
The acquisition solidifies Workday as a leader in providing an end-to-end, AI-powered talent acquisition and mobility solution, helping HR leaders meet today’s evolving hiring and talent landscape. Learn more from the company’s founder and CEO—and now GM of HiredScore at Workday.
Our global payroll strategy combines Workday technology with an expansive partner ecosystem to provide customers with the solutions that best support their evolving needs.
As AI increasingly impacts the global economy, it is vital to understand the potential risks, ethics, and regulatory approaches that ensure AI technologies are responsible, ethical, and effective. Learn why the ASEAN AI Guide represents a crucial first step for the Southeast Asia region.
