Digital Information Assurance / IT Security Compliance

For: 

The department undertakes a range of digital information assurance activities to support the delivery of employment services.

Background

The department uses a network of contracted employment service providers (providers) to deliver its programs. To support this, providers access various departmental IT systems which also support programs administered by other Government departments. Providers may also develop their own systems or use accredited third party employment systems (TPES) developed by third party vendors.

Assurance of employment systems is required where:

  • the TPES interacts with any of the department’s systems
  • the TPES stores job seeker data where the vendor manages the system and retains access (eg they retain database administrator role)
  • a provider has a deed with any government enterprise which stipulates the provider is to only use TPES accredited by the department.

Accreditation provides assurance that there are safeguards to protect program data and information.

Be Software products are not accredited by the department

Be Software's iignite product was previously accredited by the department in 2016. When it expired, Be Software have chosen not to maintain this accreditation. Accordingly, this website shows that iignite's accreditation has expired.

We note that Be Software are stating on their websites (such as besoftware.biz and iignite.biz) that their iignite product is still accredited. We would like to confirm that their accreditation has expired and this product must not be used in the delivery of employment services.

For providers – Use of an accredited third party employment system

Any provider choosing to use a TPES has a responsibility to ensure the system is secure before using it to process, store or communicate data relating to the delivery of Government programs.

Any intention to change an accredited TPES must be explicitly authorised by the department.

Accreditation is for the benefit of the department, and is not a warranty that a TPES is fit for its intended use or for a provider’s specific business processes.

To reduce provider costs, the department works directly with TPES vendors to assess and accredit their systems. This also makes it quicker and easier for providers wishing to change TPES. Alternatively, the department provides secure in-house IT systems that can be used as-is by providers to meet their obligations under their deeds.

What third party IT systems are accredited directly?

The department only accredits specific TPES, not specific vendors, and does not recommend the use of any particular TPES.

Systems are accredited for functionality at the date of accreditation. Any changes to system design or functionality with security implications require reaccreditation by the department.

To assist providers to understand which features have been accredited, the department will work with the TPES vendor to prepare an accreditation letter. This letter also details the responsibilities and security implications that providers need to address in their decision to use the TPES and securely implement it.

The current reaccreditation process began during October 2018, and expiry was extended to 30 June 2019.

The accreditation status of the TPES is outlined in the table below.

Accreditation Status

Third Party Vendor Accreditation Status Accredited System Notes Accreditation Letter
SoNET Systems Accredited iCase Note 1

SoNET Accreditation letter

JobReady Provisional Plus Neptune Note 2 -
Hivetec Provisional Plus Bridge Note 3 -
KV Interactive Provisional JDE-MAX Note 4 -
Leading Directions Provisional BuddyNote, Performance Reports DES Only -
Be Software Not Accredited Iignite - -
MyWorkSearch Not Accredited ApTem - -
Note 1 - iCase has been accredited for use to assist in the delivery of jobactive, Disability Employment Services, Transition to Work and ParentsNext. Note 2 - The existing JobReady system is accredited to be used to support jobactive, ParentsNext and Disability Employment Services. However the email feature using Mandrill is not accredited. Note 3 - The existing Bridge system is accredited to be used to support jobactive, Disability Employment Services, Work for the Dole, Career Transition Assistance, Empowering YOUth Initiatives, Harvest Labour Service, Launch into Work, National Work Experience Programme, New Enterprise Incentive Scheme, ParentsNext, Stronger Transitions, Time to Work, Transition to Work and Youth Jobs PaTH. However the email feature is not accredited. Note 4 - The department have received a draft report from KVI and their audit team. Their existing JDE-MAX system will retain a provisional accreditation while their new system is undergoing accreditation. While KVI maintain focus on the accreditation exercise for their replacement system, existing customers are able to continue to use JDE-MAX. The department maintains its advice at this stage that no new customers should be onboarded to JDE-MAX until further notice. - indicates "None".

Accredited

  • Systems (with explicitly assessed functionality) accredited for use by providers.
  • Review the accreditation letter to understand your responsibilities and security implications of using this TPES. The letter also details the features covered by the accreditation. Any feature not specified in the letter is not accredited. Your organisation would need to assess whether the vendor has adequate safeguards to protect program data and information yourself before you can use it.
  • Use of accredited systems does not ensure a system is fit-for-purpose, suits business processes, or meets provider obligations to protect program data.
  • The department will not endorse a move from an accredited TPES to another with less advanced accreditation.

Provisional Plus accreditation

  • The department has limited assurance the TPES has safeguards to protect program data, and the department considers the risk to us is acceptable.
  • Providers will generally be able to start using this TPES, subject to endorsement by the department.

Provisional accreditation

  • Systems which have already met specific requirements and are being actively assessed for reaccreditation.
  • Provisionally accredited systems may be used by existing users only, limited to functionality already in use.
  • New users or the use of increased functionality is not authorised.

Proposed TPES undergoing accreditation

The vendor has signed a deed with the department and have commenced the accreditation process. Please contact the vendor directly if your organisation wishes to use it in the future to ensure the features you want to use are covered within the scope.

    Proposed System Deed Execution Date
    Alffie 3/10/2019
    aXcelerate 9/1/2020

    For third party employment system vendors

    TPES handling information or data relating to programs delivered by the department must gain and maintain accreditation prior to use by our providers.

    Vendors who are unsure whether their systems require accreditation should contact the Security Compliance Support mailbox with the following information:

    • outline of the system and services offered
    • how the system will assist providers to deliver our programs, and which programs are proposed
    • an overview of the system design and access, such as high level architecture, data centre locations, access, authentication, administrative staff locations
    • how the system is intended to inter-operate with the department’s system, such as daily bulk download and upload of data, real-time via APIs
    • the scope of any existing IT security certifications or accreditations maintained
    • the providers considering your system.