Course Content
Understanding the Defence Industry Security Programming (DISP)
This topic explains the Defence Industry Security Program (DISP). Explains what DISP does for the industry and which entities may apply for DISP membership.
0/4
What is the Defence Industry Security Program?
00:41
What does the Defence Industry Security Program do?
00:52
Entities that may apply for Defence Industry Security Program membership.
01:12
Defence Industry Security Program Knowledge Check
Our role within the Defence Industry Security Program
During this topic, you will be taught about our role within the Defence Industry Security Program, focusing on our process.
0/5
Our role within the Defence Industry Security Program
01:33
Understanding Initial Assessment (IA) Process
01:53
Understanding the Uplift Process
02:08
Understanding the Ongoing Suitability Assessment (OSA) Program
00:23
Our Role, Responsibilities and Processes Knowledge Check
Conduct An Initial Review of a Cyber Security Questionnaire (CSQ)
During this topic you will be taught about the Cyber Security Questionnaire, and how to conduct an initial review of a submitted questionnaire.
0/4
Understanding the Cyber Security Questionnaire (CSQ)
09:07
Conduct A Cyber Security Questionnaire (CSQ) Initial Review
02:51
Conduct An Initial Review Knowledge Check
Conduct An Initial Review Assignment
Conduct An Initial Assessment (IA) of a Cyber Security Questionnaire (CSQ)
During this topic you will be taught how to carry out an Initial Assessment (IA) of a Cyber Security Questionnaire (CSQ).
0/8
High-level Overview of an Initial Assessment
02:02
Application Control
01:22
Patching Application
01:28
Patching of Operating Systems
01:29
Restriction of Administrative Privileges
01:07
Initial Assessment Knowledge Check
Conduct an Initial Assessment (Client One)
Conduct an Initial Assessment (Client Two)
Conduct A Quality Assurance (QA) Check of an Initial Assessment (IA)
During this topic you'll be taught how to carry out a Quality Assurance (QA) Check of an Initial Assessment (IA).
0/6
Quality Assurance Overview
00:18
Common Faults
00:24
Key Technical Assessment Faults
00:21
QA Knowledge Check
Conduct a Quality Assessment (Client One)
Conduct a Quality Assessment (Client Two)
Conducting the Uplift Process
0/5
Uplift Program Overview
00:11
Requesting an Action Plan
01:41
Requesting Resubmission or Additional Information
01:06
Action Plan Acceptance
00:52
Uplift Letter Returned
00:46
Entry Level Assessors Course
Please login for access. Login
About Lesson

Overview of the Uplift Process

The Uplift Process is intended to assist applicant entities in achieving a suitable level of cyber security hygiene, where they’re assessed to have shortfalls during the Initial Assessment (IA).

The Uplift Process is broken into the following stages:

Action Plan Requested

    • When an entity IA has an overall rating of Ad-Hoc or Developing, the assessment includes recommendations and the opportunity to respond to those recommendations in “Part 2 – Uplift Action Plan”.

Action Plan Received

    • The entity submits “Part 2 – Uplift Action Plan”, commonly referred to as the “Action Plan”.

Action Plan Accepted

    • The action plan is accepted if the assessor agrees that the identified actions are suitable. Afterward, DISO Cyber will advise the entity to submit an “Uplift Letter”. The letter must confirm implementation has been completed.
    • If the actions are unsuitable, the assessor will work with the entity to determine the best path forward.

Uplift Letter Received

    • If DISO Cyber accepts the entity’s Action Plan, the entity must write to us to confirm the implementation is complete.

Reassessment

    • A reassessment can only be raised if a complete uplift letter has been received.
    • The Reassessment must consider the action plan recommendations and the original cyber security assessment report.

Uplift Quality Assurance Check

    • The Reassessment is subject to a Quality Assurance check, just as the IA is.

Action Plan Suitability

The assessor must ensure that the identified actions are suitable for addressing the recommendations made within the IA Cyber Security Assessment Report.

Ambiguous statements are not suitable for addressing our recommendations. Instead, applicants must explain to us in no uncertain terms how they will address a control. 

An assessor may request that the applicant demonstrate the control is implemented at any time. For example, you may ask for a screenshot of an applicant’s policy deployment.

Unacceptable example: “We will implement application control.”

Acceptable example: “We will utilise Microsoft EndPoint Manager to deploy Microsoft Defender Application Control (MDAC) to all endpoints used to correspond with Defence”.

Join the conversation
Previous
Next