Home Affairs Modernizes ‘Authority to Operate’ Process with ServiceNow for ICT Security Compliance

The Department of Home Affairs has fully digitized its “authority to operate” (ATO) process for ICT systems to meet key compliance requirements under the Protective Security Policy Framework (PSPF) and the Essential Eight. This modernization effort, led by cyber risk management director Alex Reale, is expected to improve the efficiency and oversight of cybersecurity measures across hundreds of departmental systems.

Upon joining the department in early 2023, Reale discovered that while ServiceNow had already been selected to support the ATO process, the department was initially attempting to replicate its traditional manual approach within the digital platform. Previously, ATO assessments relied on a cumbersome mix of spreadsheets, Word documents, and emails, causing reviews to stretch up to 12 weeks for each system. This was particularly challenging given the vast number of systems requiring regular authorization.

Reale endorsed the shift to ServiceNow’s Continuous Authorization and Monitoring module, departing from the old approach to better leverage automation and streamline workflows. “Now we’re at a point where we can demonstrate alignment with the PSPF and Essential Eight, meeting the requirements of the ACSC’s Information Security Manual (ISM),” Reale stated at the ServiceNow World Forum in Melbourne.

With ServiceNow, Home Affairs has codified a six-step ATO process that includes assigning system ownership, cataloging information assets, assessing potential threats, and selecting appropriate security controls. ServiceNow pre-integrates the ISM and Essential Eight controls, allowing for detailed compliance tracking. Additionally, Home Affairs has created custom policy controls within the platform to address specific needs.

The ATO process also includes automated notifications for system owners, who must attest to the implementation of security controls and provide supporting evidence within ServiceNow. Reale noted that this automated communication replaced the manual efforts previously required to collect attestations, while the system’s structured testing plans and risk assessment tools allow the cyber risk team to monitor and report on system compliance effectively.

The final stage involves formal authorization, where residual security risks are reviewed, and the CISO determines if the system can operate in production based on ServiceNow’s automated risk assessments. Once authorized, continuous monitoring within ServiceNow allows the department to report on any changes in system security controls.

Reale highlighted that this shift not only streamlined the ATO process but also allowed for visualizations that make it easier to communicate system risk and compliance statuses to executives. The department can now demonstrate compliance with the PSPF and Essential Eight and ensure that accountable authorities have up-to-date information for decision-making.

This overhaul has led to a more responsive and accountable cybersecurity posture at Home Affairs, supporting a secure digital environment and enhancing the department’s ability to manage cyber risks efficiently.