The Victorian environmental watchdog’s recent investments in staff cyber awareness, data leakage prevention and cloud environment controls align with its security program’s goal of going beyond regulatory box-ticking through proactive risk management.
Box-ticking vs risk-based approach
Environmental Protection Authority (EPA) Victoria’s CISO Vijay Narayan broke down the cyber security program’s advancements in the past year across its different categories.
“Improving staff education about security, improving the security controls of our cloud environments and end-user systems and preventing data leakage – I think the investment has paid off in a lot of these areas,” Narayan told iTnews.
Narayan listed the ways EPA hardened its defences in these areas, while explaining how each investment fitted into its risk-based cyber security program that sought to exceed compliance standards.
“There is a regulation that sets a minimum standard that everyone has to meet and its obligations are very clear, but incidents can still happen,” he said.
“So it is about constant improvement; finding our weaknesses and vulnerabilities; measuring our control gaps; prioritising those control gaps and targeting them.”
Catering cyber education to different teams
Narayan said EPA had planned its organisation-wide security training with the goal of finding employees who needed to improve their cyber knowledge the most.
“We have already had an information security training program in place – but beyond that, we have things like phishing simulations,” he said.
Narayan said during a presentation at CISO Melbourne 2023 that the security awareness program included “tabletop exercises at multiple levels” that trained staff to manage the risks that the team was most likely to face.
“There’s one targeting IT, one targeting operations and ones for executive leadership.
“Asking them, ‘There has been a breach, what are you going to do?’ are the kinds of exercises we might run. The scenario deals with business issues that member of the organisation would be most likely to face.”
Investments in data leakage prevention
After several high-profile data breach incidents, coverage about data leakage has centred on the reputational damage of customer database leaks.
Narayan said that for government watchdogs, the dangers were more about compromising investigations and prosecutions.
EPA has recently advanced its data governance capabilities to prevent data leakage, Narayan said.
“We are just starting to use the capabilities available in Microsoft Information Protection (MIP), which is now called Microsoft Purview.
“We are currently using MIP for document/email classification and labelling. Labelling has helped us to enforce additional security controls depending on sensitivity, and we have implemented data leakage monitoring rules as per classification.”
Narayan added that “to complement the MIP platform” EPA “began to implement DTEX in early July.”
“We use DTEX to monitor specific scenarios related to data leakage and user behaviour, and] we can develop specific new use cases to prevent leakages.
“DTEX has built-in off-the-shelf advanced detection rules and uses cases that produce actionable detections and reduces alert fatigue.”
Securing cloud environments
Another big focus of EPA’s security program in the past year was improving cloud environment controls, Narayan said.
“Around 70-to-80 per cent of EPA’s IT operations are cloud-based… I think we have somewhere around 80 percent on the Microsoft 365 and Azure cloud secure score,” Narayan said.
“We’ve received guidance from the Victorian government about our standards and what the preferred benchmarks are that they want to us meet.”
Narayan said that Microsoft cloud security posture management helped guide how EPA improved its cloud security.
“It provides specific recommendations about what we need to do in order to get security prioritised.”
About Author
