Project Summary

Real-world cybersecurity uplift initiative covering infrastructure security, network segmentation planning, identity security, governance development, and stakeholder engagement.

National Railway Museum Cybersecurity Uplift Program

Project Overview

Organisation: National Railway Museum (NRM)

Location: Port Adelaide, South Australia

Role: Cybersecurity Volunteer – Infrastructure Security, IAM & Governance

Project Duration: March 2026 – Present

Last Updated: July 2026

Project Highlights

  • Developed 15+ cybersecurity deliverables including inventories, architecture diagrams, governance procedures, MFA assessments, and implementation planning documentation
  • Developed technology asset inventory covering critical systems
  • Analysed infrastructure dependencies and communication flows
  • Designed proposed segmented network architecture covering User, Server, and CCTV zones
  • Produced governance and operational security documentation
  • Conducted MFA readiness assessment
  • Supported implementation planning with external technology providers

Executive Summary

The National Railway Museum Cybersecurity Uplift Program is an ongoing cybersecurity improvement initiative focused on strengthening the museum’s cybersecurity posture through practical, risk-based security improvements.

Working within a volunteer-driven non-profit environment, I contributed to cybersecurity assessment activities, infrastructure analysis, network segmentation planning, identity and access security improvements, governance development, security awareness initiatives, and implementation planning.

The project evolved from an initial cybersecurity review into a broader security uplift initiative aimed at improving visibility, reducing risk, supporting future technical improvements, and establishing a stronger cybersecurity foundation suitable for the organisation’s operational and resource constraints.

Background

The National Railway Museum operates a diverse technology environment supporting business operations, volunteer activities, archive systems, storage infrastructure, networking equipment, and CCTV systems.

Like many small and non-profit organisations, the museum faces unique cybersecurity challenges. Security improvements must balance risk reduction against operational practicality, budget limitations, volunteer availability, legacy technology, and ease of use.

An initial review of the environment identified opportunities to improve visibility, governance, network security, identity security, and documentation. This led to the development of a broader cybersecurity uplift initiative focused on delivering practical and sustainable improvements.

Challenges Identified

During the initial assessment, several cybersecurity and operational challenges were identified.

Infrastructure Visibility

Limited centralised documentation existed for technology assets, infrastructure dependencies, and network architecture. This made it difficult to assess risk, prioritise improvements, and support future planning activities.

Network Architecture

The environment operated with limited network segmentation, increasing opportunities for unnecessary communication between systems and creating potential pathways for lateral movement in the event of a compromise.

Identity Security

Multi-Factor Authentication (MFA) was implemented on some critical systems, however opportunities existed to expand coverage and strengthen protection of administrative and internet-facing accounts.

Governance and Documentation

Formal cybersecurity procedures, user guidance, and operational security documentation were limited. Additional governance material was required to support secure day-to-day operations and improve cybersecurity awareness.

Volunteer Workforce Considerations

As a volunteer-driven organisation, security recommendations needed to be practical, cost-effective, easy to understand, and realistic to maintain over time.

Approach

The project followed a structured cybersecurity improvement approach focused on understanding the environment, identifying risks, improving visibility, and developing practical security recommendations.

The engagement included:

  • Cybersecurity posture assessment
  • Asset discovery and infrastructure analysis
  • Network mapping and dependency analysis
  • Network segmentation planning
  • MFA assessment and identity security review
  • Software and application governance review
  • Security procedure development
  • Security awareness material creation
  • Stakeholder engagement and implementation planning

The objective was not simply to identify risks, but to produce practical deliverables that could support future implementation activities.

Project Timeline

March 2026 — Initial Assessment and Environment Discovery

  • Completed volunteer onboarding and stakeholder engagement
  • Conducted initial cybersecurity posture assessment
  • Reviewed existing technology environment
  • Identified key cybersecurity risks and improvement opportunities
  • Began asset discovery and infrastructure analysis
  • Established project objectives and scope

April 2026 — Infrastructure Analysis and Documentation

  • Developed technology asset inventory
  • Documented infrastructure components and critical systems
  • Performed dependency mapping and communication path analysis
  • Created infrastructure documentation and environment diagrams
  • Reviewed operational systems and technology dependencies
  • Improved visibility of technology assets and infrastructure relationships

May 2026 — Network Security Assessment and Segmentation Planning

  • Conducted current-state network architecture review
  • Analysed communication flows between systems
  • Reviewed CCTV environment and associated infrastructure
  • Developed proposed network segmentation architecture
  • Designed user, server, and CCTV security zones
  • Created segmentation rules and communication logic
  • Prepared implementation planning documentation

May–June 2026 — Identity and Access Security Review

  • Assessed existing MFA coverage across organisational systems
  • Reviewed administrative and internet-facing accounts
  • Identified authentication improvement opportunities
  • Developed MFA expansion recommendations
  • Considered operational constraints and volunteer workforce requirements
  • Produced authentication improvement roadmap

June 2026 — Software Governance and Security Documentation

  • Developed software and application inventory
  • Documented application ownership and business criticality
  • Recorded MFA status and internet exposure information
  • Created governance documentation to support future risk management
  • Improved visibility of software and operational systems

June–July 2026 — Governance and Security Awareness Development

  • Developed Acceptable Use Procedure
  • Developed Access Privilege Management Procedure
  • Developed Third-Party Software Restriction Procedure
  • Updated Internet and Computer Use Agreement
  • Created cybersecurity awareness material for staff and volunteers
  • Produced practical guidance covering passwords, phishing, USB usage, and software security

July 2026 – Present — Implementation Support and Continuous Improvement

  • Supported implementation planning activities
  • Participated in stakeholder and vendor discussions
  • Assisted with infrastructure validation activities
  • Supported future network segmentation planning
  • Continued cybersecurity uplift initiatives
  • Maintained and refined project documentation
  • Provided ongoing cybersecurity advisory support

Key Deliverables

Asset Discovery and Infrastructure Analysis

A significant component of the project focused on improving visibility of the museum’s technology environment.

Activities included:

  • Asset identification
  • Infrastructure categorisation
  • Critical asset review
  • System dependency analysis
  • Infrastructure documentation
  • Operational system review

To support future planning and risk analysis, structured inventories were developed covering technology assets, software platforms, infrastructure components, and operational dependencies.

This work established a clearer understanding of how systems interacted and which assets required additional protection.

Supporting Evidence

The following artefacts were developed as part of the National Railway Museum Cybersecurity Uplift Program.

Infrastructure Documentation

Evidence Available:

  • Technology Asset Inventory
  • Infrastructure Inventory
  • Software and Application Inventory
  • Infrastructure Analysis Documentation
  • Critical Asset Identification Records
  • System Dependency Mapping Documentation

Network Security

Evidence Available:

  • Current-State Network Diagram
  • CCTV Infrastructure Diagram
  • Network Architecture Review Documentation
  • Proposed Network Segmentation Architecture
  • Segmentation Rules and Communication Logic
  • Infrastructure Validation Notes
  • Network Implementation Planning Documentation

Network Segmentation Architecture

One of the primary security improvements developed during the project was a proposed network segmentation architecture designed to reduce lateral movement risks and improve protection of critical systems.

Proposed Network Segmentation Architecture

Identity and Access Security

Evidence Available:

  • MFA Assessment Documentation
  • Authentication Review Notes
  • Administrative Account Review Documentation
  • MFA Expansion Recommendations
  • Identity Security Improvement Roadmap

Software Governance

Evidence Available:

  • Software and Application Inventory
  • Application Governance Review
  • Business Criticality Assessment Records
  • Internet Exposure Assessment Documentation
  • Software Ownership Register

Governance and Procedures

Evidence Available:

  • Acceptable Use Procedure
  • Access Privilege Management Procedure
  • Third-Party Software Restriction Procedure
  • Updated Internet and Computer Use Agreement
  • Operational Security Guidance Documentation

Security Awareness

Evidence Available:

  • Cybersecurity Awareness Guide
  • Password Security Guidance
  • Phishing Awareness Material
  • Safe Internet Usage Guidance
  • USB Security Guidance
  • Software Installation Guidance
  • Suspicious Activity Reporting Guidance

Stakeholder Engagement and Project Planning

Evidence Available:

  • Project Planning Documentation
  • Requirements Gathering Notes
  • Stakeholder Review Documentation
  • Implementation Planning Records
  • Vendor Engagement Support Material
  • Security Improvement Roadmap

Photographic and Visual Evidence

Evidence Available:

  • Infrastructure Photographs
  • Network Equipment Photographs
  • Site Assessment Evidence
  • Project Working Documentation
  • Technical Diagram Collection

Network Architecture Review and Segmentation Planning

The existing network environment was reviewed to better understand communication paths, infrastructure relationships, and potential security improvement opportunities.

Network mapping activities included:

  • Infrastructure documentation
  • Current-state network review
  • CCTV environment review
  • Dependency mapping
  • Communication path analysis

Using this information, a future-state segmented architecture was designed to logically separate user devices, server infrastructure, and CCTV systems into distinct security zones.

The proposed design aimed to:

  • Reduce unnecessary exposure
  • Limit lateral movement opportunities
  • Improve separation of critical systems
  • Support more granular access control
  • Improve long-term network security management

To support future implementation activities, segmentation rules, communication logic, infrastructure validation reviews, and implementation preparation notes were also developed.

Identity and Access Security

An assessment of identity and authentication controls was conducted across multiple systems used by the organisation.

The review focused on:

  • Existing MFA coverage
  • Administrative accounts
  • Internet-facing systems
  • Operational constraints
  • User adoption considerations

Recommendations were developed to support staged MFA expansion while balancing security improvements against usability and volunteer workforce requirements.

This work contributed to a practical roadmap for strengthening authentication controls and reducing credential-related risk.

Software and Application Governance

A structured software and application inventory was developed to improve visibility and support governance activities.

Documented information included:

  • Application ownership
  • Business criticality
  • MFA status
  • Internet exposure
  • Operational use cases
  • Security considerations

This inventory provided a foundation for future governance, risk management, software review, and security improvement activities.

Cybersecurity Governance Development

A suite of governance documents was developed to strengthen cybersecurity expectations and provide practical guidance for staff and volunteers.

Key deliverables included:

Acceptable Use Procedure

Guidance covering password practices, internet usage, email security, USB usage, software installation restrictions, and reporting suspicious activity.

Access Privilege Management Procedure

Guidance covering least privilege principles, onboarding, offboarding, access reviews, and administrative account management.

Third-Party Software Restriction Procedure

Guidance covering software approval processes, browser extensions, remote access software, freeware controls, and software governance expectations.

Updated Internet and Computer Use Agreement

Modernisation of the museum’s existing user agreement to better reflect modern cybersecurity expectations, including MFA usage, phishing awareness, software restrictions, USB security, monitoring expectations, and cybersecurity responsibilities.

Security Awareness Initiative

To complement the governance work, a cybersecurity awareness guide was developed for staff and volunteers.

Topics included:

  • Password security
  • Phishing awareness
  • Safe internet usage
  • USB security
  • Software installation guidance
  • Reporting suspicious activity

The material was intentionally designed to be practical, non-technical, and accessible to users with varying levels of technical experience.

Stakeholder Engagement

Throughout the engagement, collaboration with museum stakeholders played an important role in ensuring recommendations remained practical and aligned with operational requirements.

Activities included:

  • Requirements gathering
  • Technical discussions
  • Documentation review
  • Validation workshops
  • Implementation planning
  • Vendor-related discussions

Working directly with operational stakeholders strengthened my ability to communicate cybersecurity concepts in a clear and business-focused manner while balancing technical recommendations against organisational constraints.

Outcomes

The project established a stronger cybersecurity foundation for the National Railway Museum by improving visibility, documenting infrastructure, identifying key risks, and preparing practical security improvements.

Key outcomes achieved through the project included:

  • Improved understanding of technology assets and infrastructure dependencies
  • Greater visibility of software and operational systems
  • Proposed network segmentation architecture for future implementation
  • MFA assessment and authentication improvement planning
  • Development of cybersecurity governance procedures
  • Creation of volunteer-friendly security awareness material
  • Support for future implementation planning and vendor discussions

The project demonstrated how meaningful cybersecurity improvements can be achieved through structured assessment, practical planning, stakeholder engagement, and governance development.

Skills Demonstrated

Governance, Risk and Compliance

  • Security assessment
  • Risk identification
  • Governance development
  • Security awareness
  • Access management controls

Infrastructure Security

  • Infrastructure analysis
  • Dependency mapping
  • Network architecture review
  • Network segmentation planning

Identity and Access Management

  • MFA assessment
  • Authentication improvement planning
  • Administrative account review

Stakeholder Communication

  • Documentation development
  • Technical communication
  • Requirements gathering
  • Security awareness delivery

Project and Implementation Planning

  • Security improvement planning
  • Vendor coordination support
  • Roadmap development
  • Operational documentation

Lessons Learned

One of the most valuable lessons from this engagement was that cybersecurity improvements are rarely purely technical challenges.

Effective security improvements must account for people, operational requirements, organisational maturity, available resources, and long-term sustainability.

Working within a volunteer-driven non-profit environment reinforced the importance of balancing security objectives with usability, practicality, and stakeholder adoption.

The experience strengthened my ability to assess real-world environments, communicate risk, develop security documentation, and contribute to cybersecurity improvement initiatives that support both organisational goals and security outcomes.

Public Evidence

Sanitised visual evidence available for this project.

Proposed segmented network design for the National Railway Museum project
Proposed segmented network design, sanitised for public portfolio use.