New AWS Workbook for Australian energy sector customers now available

I’m pleased to announce the Amazon Web Services (AWS) AESCSF 2019 Workbook, a resource designed to help energy sector customers align with the Australian Energy Market Operator (AEMO)’s Australian Energy Sector Cyber Security Framework (AESCSF) 2019.

The workbook helps energy sector customers to:

• Conduct due diligence on the AWS control environment, by mapping the AESCSF 2019 framework to control implementation statements described in our Risk and Compliance Whitepaper, Overview of Security Process Whitepaper, and SOC audit reports.
• Architect, deploy, run, and optimize workloads in the AWS Cloud by mapping the AESCSF 2019 framework to the best practices described in the five pillars of the AWS Well-Architected Framework.
• Identify areas of control alignment and potential control gaps with respect to the AESCSF 2019 framework.

The AESCSF 2019 framework comprises 11 domains. Each domain contains one or more objectives, with each objective broken down into specific individual practices. Nine of the 11 domains also contain examples of anti-patterns or specific indicators of bad practice.

The AEMO describes the AESCSF 2019 framework as:

“focussed on cyber security maturity and […] therefore not prescriptive in relation to security controls. It describes what your organisation should strive to achieve, but not how they should achieve it.”

Although the framework is not prescriptive, the AEMO has provided a selection of Australian and global informative references mapped to each practice to support organizations seeking control suggestions or recommendations. These references include the Australian Cyber Security Centre (ACSC) Essential Eight, specific controls from the Australian Government Information Security Manual (ISM), the International Organization for Standardization (ISO) 27001:2013, and the Australian Privacy Principles (APPs).

It’s important to note that security and compliance is a shared responsibility between AWS and our customers. AWS is responsible for the security of the cloud (that is, the infrastructure that runs all of the services in the AWS Cloud) but customers are responsible for the security of the systems and applications they deploy in the cloud.

The AWS AESCSF 2019 Workbook helps customers align with the AESCSF 2019 framework by providing control mappings for:

• Security of the cloud by mapping AESCSF 2019 framework practices to control statements from the AWS Compliance Program.
• Security in the cloud guidance by mapping AESCSF 2019 framework practices to the five pillars of the AWS Well-Architected Framework, and also to AWS Config managed rules and Amazon GuardDuty findings, where available or applicable.

The AWS AESCSF 2019 Workbook does not provide mappings to the anti-patterns, because these are specifically focused on helping customers identify bad practices within their organizations.

The downloadable workbook contains two embedded formats:

• Microsoft Excel – Coverage includes AWS responsibility control statements and Well-Architected Framework best practices.
• Dynamic HTML – Coverage is the same as in the Microsoft Excel format, with the added feature that the Well-Architected Framework best practices are mapped to AWS Config managed rules and Amazon GuardDuty findings, where available or applicable.

The workbook is available for download through AWS Artifact, accessible through your AWS account.

If you have feedback about this post, submit comments in the Comments section below.

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.