The Department uses a network of Contracted Employment Service Providers (Providers) to deliver its programmes. To support this, Providers access various Department IT systems which also support programmes administered by other government departments. Providers may also develop their own systems or use accredited employment systems developed by third party vendors.
Assurance of employment systems is required where:
- a third party IT system interoperates in any way with any of the Department’s systems
- a Provider has a Deed with any government body that stipulates the Provider is to only use third party employment systems accredited by the Department, whether or not the Department is a party to the Deed.
Accreditation provides assurance that there are safeguards to protect programme data and information.
Providers – Use of an Accredited Third Party Employment System
Any Provider choosing to use a Third Party Employment System (TPES) has a responsibility under their Deed to ensure the system is secure before using it to process, store or communicate data relating to the delivery of government programmes.
Any intention to start using or change TPES must be explicitly authorised by the Department.
The accreditation process provides the Department with assurance that each system has adequate safeguards to protect programme data and information. Accreditation is for the benefit of the Department, and is not a warranty that a TPES is fit for its intended use or for a Provider’s specific business processes.
To reduce Provider costs, the Department works directly with TPES vendors to assess and accredit their systems. This also makes it quicker and easier for Providers wishing to change TPES. The Department provides secure in-house IT systems that can be used as-is by Providers to meet their obligations under their deeds. The TPES listed below are not endorsed by the Department, this is not a panel to be selected from.
Accreditation of a TPES is valid for up to two years from the date granted. Unless otherwise advised by the Department, systems must be reaccredited before the expiry date in order to ensure continuity of use.
What Third Party Employment Systems are accredited?
The Department only accredits known specific TPES, not the associated vendors, and does not recommend the use of any particular TPES. This accreditation is based on the Protective Security Policy Framework issued by the Attorney-General’s Department, and the Information Security Manual (ISM) issued by the Australia Signals Directorate (ASD). The services that ASD have accredited, as detailed on the ASD Certified Cloud Services List (CCSL), can therefore also be used. The Department will authorise a request to use one of these services. Note at the top of the website that ASD prepare a Certification Report that the cloud provider will supply on request. This report details security aspects which should be considered in relation to the use of these services. To view the current CCSL and to obtain further information about certified cloud services, visit the ASD Certified Cloud Services website.
Systems subject to accreditation by the Department are accredited for the functionality operating at that date. Any changes to system design or functionality with security impact require partial reaccreditation. Any functionality added after the accreditation date is not covered. The most recent full or partial reaccreditation date is listed below.
The current reaccreditation process began during October 2018, and expiry has been extended to 30 June 2019. There will be no further extensions beyond 30 June 2019.
There are Australian sovereignty requirements for systems that process, store or communicate data relating to employment programmes. There are restrictions around foreign nationals with privileged access to these systems. Additionally no data relating to employment programmes is to be sent offshore. In order for the Department to sign a deed with a potential TPES vendor and arrange for accreditation, there must be an Australian entity able to operate independently of any foreign parent entity.
|Third Party Vendor||Accreditation Status||Accredited System||Notes||Accreditation Expiry|
|JobReady||Provisional Plus||Neptune||Note 1||-|
|Hivetec||Provisional Accreditation||Bridge, Analytics||-||30/6/2019|
|KV Interactive||Provisional Accreditation||JDE-MAX||-||30/6/2019|
|SoNET Systems||Provisional Accreditation||iCase||-||30/6/2019|
|Leading Directions||Provisional Accreditation||BuddyNote, Performance Reports||DES Only||-|
|Be Software||Not Accredited||Iignite||-||Expired|
- Systems (with explicitly assessed functionality) accredited for use by Providers.
- Use of accredited systems does not ensure a system is fit-for-purpose, suits business processes, or meets Provider obligations to protect programme data.
- The Department will not endorse a move from a fully accredited third party employment system to another system with less advanced accreditation or reaccreditation.
- Systems which have already met specific requirements and are being actively assessed for full accreditation or reaccreditation.
- Provisionally accredited systems may be used by existing users only (limited to functionality already in use).
- New users or the use of increased functionality is not authorised.
Provisional Plus Accreditation
- The Department has limited assurance the third party employment system has safeguards to protect programme data, and the Department considers the risk acceptable.
- Providers will generally be able to start using this third party employment system, subject to endorsement by the Department.
- Limited Accreditation systems are NOT on track for accreditation or reaccreditation.
- New users or increased functionality use is unauthorised.
- Existing users may continue to use their existing systems where they are limited to accredited functionality only.
- Accreditation will expire if the third party employment system vendor:
- withdraws their product and no longer requires accreditation
- will not be seeking reaccreditation for their product
- has not made sufficient, timely progress with reaccreditation to assure the Department that security risks are managed.
- Existing users of expired systems must implement their transition plans and cease using the system as soon as possible. Providers requiring more than 30 days must contact the Department.
- New use is not permitted.
Third Party Employment Systems - Vendors
Third party employment systems handling information or data relating to programmes delivered by the Department must gain and maintain accreditation prior to use.
Third party employment system vendors who are unsure whether their systems require accreditation should contact the Security Compliance Support mailbox with the following information:
- Outline of the system and services offered.
- The nature of how these systems are delivered, e.g. software as a service (SaaS), cloud service, contracted outsourcing.
- How this system assists Providers to deliver Australian Government Programmes, and which programmes.
- An overview of system design and access, e.g. basic architecture, data centre locations, access, authentication, admin staff locations.
- How the third party employment systems are intended to inter-operate with the Department’s system, e.g. daily bulk download and upload of data, real-time via screen scraping, real-time via APIs.
- Any existing IT Security certification or accreditations held.
- The Providers considering your product, and the programmes they are to be used for.