Could You Please Explain How the IRAP Assessment Program Works?
Within Australia, IRAP is viewed as a gold-standard risk-based assessment program across the public sector, as well as financial services, primary industries, health care and other regulated industries. The program provides a process for the independent assessment of a system’s security against Australian government policies and guidelines.
Under IRAP, Australian Signals Directorate (ASD)-certified public and private sector assessors review the security posture of organisations like Workday to identify risks and suggest mitigation measures. These assessors are qualified in Information and Communications Technology, security assessment and risk management and have a detailed knowledge of the ISM, which details a framework designed to help organisations protect against cyber threats. Overall, IRAP aims to secure industry and Australian Government systems and data.
What Does the IRAP Assessment Mean for Workday Customers and Prospects?
The IRAP assessment means Australian public service organisations can store workloads up to PROTECTED–including OFFICIAL–on Workday HCM, Financial Management, Analytics, Talent Management, Workforce Management and Workday Adaptive Planning hosted in AWS Australia. Most importantly, it means Workday has passed a rigorous assessment process incorporating hundreds of hours of poring over evidence, participating in deeply technical interviews, and proving our security reaches Australian Government standards.
IRAP is the ‘tip of the spear’ in interacting with Australian public sector organisations. ‘What is your IRAP assessment status?’ is generally one of the first questions the teams in these organisations ask us and the assessment is a bar we simply had to clear to work with highly regulated organisations managing very sensitive workloads.
With the assessment in place, we can assure organisations that we manage citizen data appropriately and help them manage the risk involved. With our support and guidance, Workday customers and prospects can review the IRAP documentation and make their own risk-based decisions based on the assessment findings.
We’re committed now to maintaining the IRAP assessment over the long term and conducting external assessments every 24 months at a minimum. We’ll also conduct regular assessments of our applications and infrastructure against updates to the ISM, that incorporate the latest government guidance about threats and mitigations, and typically take place every one to three months.
What Does the IRAP Assessment Demonstrate about Workday to Public Sector Organisations in the Region and Worldwide?
An IRAP assessment is one of the most detailed and complex programs a business like ours can embark on. While the assessment demands a big commitment of time, it gave us another lens on our security environment we could use to make changes or updates in the service of constant improvement.
At Workday, we’ve always focused on data security and compliance, as demonstrated by our existing certifications and assessments. We’re continuing to invest in trust in the Asia-Pacific region and Japan and build our understanding of the nuances of individual markets by adding skilled team members in the region. This complements our ongoing capability development in North America and Europe.
Overall, we continue to look locally and serve globally implementing the security controls, frameworks, and assessments public sector, and commercial, customers across the region need to use our powerful finance, human resources, and workforce management applications.