Our DISP Compliance Statement
Overview of Our Compliance Approach
Our compliance strategy is built on four key pillars:
- Risk Management: Continuous identification, assessment, and mitigation of risks related to Defence information and operations.
- Policy Implementation: Comprehensive and up-to-date policies governing information security, access control, incident response, and personnel security.
- Training and Awareness: Regular training programs for staff to ensure they understand and adhere to DISP requirements and security best practices.
- Monitoring and Auditing: Ongoing monitoring of compliance measures, supported by regular internal and external audits to identify and address any gaps.
We leverage industry best practices, a proactive risk management approach, and strict adherence to security protocols to protect Defence information and our interests.
Our Risk Management Policy drives our compliance efforts by focusing on:
- Identifying Risks: We systematically assess risks associated with handling Defence-related information, supplier relationships, and internal processes.
- Mitigating Risks: Our mitigation strategy incorporates a range of controls, both Vaxa and Defence-specified, such as access restrictions, cryptographic measures, and incident response protocols to address potential vulnerabilities.
- Monitoring Risks: We continuously monitor potential risks through regular assessments, incident tracking, and analytics, coupled with our broader external audit program
By integrating risk management with DISP requirements, we ensure that threats are addressed proactively and compliance is maintained at all times.
Our compliance relies on a comprehensive set of policies, endorsed at the highest level and implemented in our day-to-day. These are designed to meet not only DISP Entry Level standards, but the requirements of Essential Eight (now) and ISO27001 (in future).
These include:
| Policy | Description |
|---|---|
| Information Security Policy | Defines the overarching framework for protecting sensitive information. |
| Access Control Policy | Manages access to systems and information based on the principle of least privilege, supported by multi-factor authentication (MFA). |
| Incident Response Policy | Provides a structured approach for responding to security incidents, including breaches of Defence information. |
| Personnel Security Policy | Details security clearance and vetting processes for all personnel handling sensitive Defence information. |
Each policy is regularly reviewed on a set cadence to stay aligned with changes in DISP requirements and the evolving threat landscape.
Every Vaxa employee should consider themselves playing a key role in ensuring compliance with DISP standards, whether they’re technically in scope or not. This includes you.
To support them, we have a robust training and awareness program that covers:
- DISP Security Awareness Training: Mandatory for all staff, focusing on the requirements of DISP and defense-related information handling.
- Role-Specific Training: Additional training for staff with elevated access to sensitive information or Defence/Commonwealth contracts.
- Ongoing Awareness Initiatives: Regular updates on emerging threats and security best practices, with real-time security alerts.
By embedding security awareness in Vaxa’s culture, we ensure that every employee is equipped to maintain DISP compliance.
We take a proactive approach to monitoring and improving our compliance processes through:
- Audit Logs and Evidence of Compliance: We maintain detailed records of access control, system changes, and incidents to provide evidence of compliance during audits.
- Internal and External Audits: Regular audits are conducted to assess our compliance with DISP requirements, Essential Eight controls, and (eventually) ISO27001. This includes a review of policies, incident handling, and system vulnerabilities.
- Continuous Improvement: Findings from audits and assessments are used to inform our strategy and make necessary adjustments to our security policies and procedures.
Our continuous improvement framework ensures that we not only meet current DISP Entry Level requirements but also evolve our compliance measures in line with changing Defence, industry, and regulatory needs.
How our DISP strategy integrates with our other compliance efforts
While our primary focus in this Handbook section is obviously our DISP compliance, Vaxa recognises the value and need to comply with other frameworks including ACSC’s Essential Eight and ISO27001.
To comply with these frameworks at once, Vaxa’s approach to each of those frameworks must recognise how these frameworks would interact.
Here is how we see those two frameworks interacting with DISP:
- Essential Eight: Our implementation of the Essential Eight strategies helps protect against cybersecurity incidents, with particular emphasis on patch management, application control, and privileged access management.
- ISO27001: Our Information Security Management System (ISMS) aligns closely with DISP requirements, ensuring that we meet global standards for information security.
This integrated approach ensures that we meet a high standard of security across all aspects of our operations, from Defence information handling, to client information handling, to how we engage 3rd party suppliers—-if we’re in business, we’re in the business of security.
What Vaxa needs from you
It is a requirement of all Vaxa staff to:
- Review our key policies and training materials: Make sure you are familiar with the latest policies and training resources.
- Participate in ongoing security awareness initiatives: Stay up-to-date with security alerts and participate in regular training sessions.
- Report any security concerns or incidents immediately: Use the Incident Reporting Form (or contact the Security Officer directly) to report any suspected or actual security breaches.
For questions, concerns, or more detailed information about our compliance strategy, please contact the DISP Team.