Digital Information Assurance / IT Security Compliance

For: 

The department undertakes a range of digital information assurance activities to support the delivery of employment services.

Background

The department uses a network of contracted employment service providers (providers) to deliver its programs. To support this, providers access various departmental IT systems which also support programs administered by other Government departments. Providers may also develop their own systems or use accredited third party employment systems (TPES) developed by third party vendors.

Assurance of employment systems is required where:

  • the TPES stores job seeker data or records where the vendor manages the system and retains access (eg they retain database administrator role)
  • a provider has a deed with any government department which stipulates the provider is to only use TPES accredited by the department.

Accreditation provides assurance that there are safeguards to protect program data and information.

BeSoftware products are not accredited by the department

BeSoftware's iignite product was previously accredited by the department in 2016. When it expired, BeSoftware have chosen not to maintain this accreditation. Accordingly, this website shows that iignite's accreditation has expired.

We note that BeSoftware are stating on their websites (such as besoftware.biz and iignite.biz) that their iignite product is still accredited. We would like to confirm that their accreditation has expired and this product must not be used in the delivery of employment services.

For providers – Use of an accredited third party employment system

Any provider choosing to use a TPES has a responsibility to ensure the system is secure before using it to process, store or communicate data relating to the delivery of Government programs.

Any intention to change an accredited TPES must be explicitly authorised by the department.

Accreditation is for the benefit of the department, and is not a warranty that a TPES is fit for its intended use or for a provider’s specific business processes.

To reduce provider costs, the department works directly with TPES vendors to assess and accredit their systems. This also makes it quicker and easier for providers wishing to change TPES. Alternatively, the department provides secure in-house IT systems that can be used as-is by providers to meet their obligations under their deeds.

What third party IT systems are accredited directly?

The department only accredits specific TPES, not specific vendors, and does not recommend the use of any particular TPES.

Systems are accredited for functionality at the date of accreditation. Any changes to system design or functionality with security implications require reaccreditation by the department.

To assist providers to understand which features have been accredited, the department works with the TPES vendor to prepare an accreditation letter. This letter also details the responsibilities and security implications that providers need to address in their decision to use the TPES and securely implement it.

The accreditation status of the TPES is outlined in the table below.

Accreditation Status

Third Party Vendor Accreditation Status Accredited System Notes Accreditation Letter
SoNET Systems Accredited iCase Note 1

SoNET Accreditation letter

JobReady Accredited JobReady Live Note 2 JobReady Live Accreditation letter
Hivetec Accredited Bridge Note 3 Hivetec Bridge Accreditation letter
Leading Directions Provisional Plus BuddyNote, Performance Reports Note 4 Not currently available – please contact Securitycompliancesupport@dese.gov.au 
JobReady Expired Neptune - Expired 30 June 2020
KV Interactive Expired JDE-MAX - Expired 30 June 2020
Be Software Not Accredited Iignite - -
MyWorkSearch Not Accredited ApTem - -

- indicates "None".

Note 1 - iCase has been accredited for use to assist in the delivery of jobactive, Disability Employment Services, Transition to Work and ParentsNext.

Note 2 - The new system JobReady Live has been accredited for use to assist in the delivery of jobactive, Disability Employment Services, ParentsNext, New Enterprise Incentive Scheme (NEIS), Transition to Work and PaTH. Note 3 - The Bridge system is accredited to be used to support jobactive, Disability Employment Services, ParentsNext, New Enterprise Incentive Scheme, Stronger Transitions, Career Transition Assistance, Empowering YOUth Initiatives, Youth Jobs PaTH, Transition to Work, Time to Work, Harvest Labour Service, Launch into Work, National Work Experience Programme and Work for the Dole. Note 4 - Leading Directions has been awarded Provisional Plus for the use of BuddyNote and Performance Reports to support the DES program. This expires on 23 December 2020. Leading Directions is currently working towards becoming Accredited for other programs and developing the Accreditation Letter with the department.

Accredited

  • Systems (with explicitly assessed functionality) accredited for use by providers.
  • Review the accreditation letter to understand your responsibilities and security implications of using this TPES. The letter also details the features covered by the accreditation. Any feature not specified in the letter is not accredited. Your organisation would need to assess whether the vendor has adequate safeguards to protect program data and information yourself before you can use it.
  • Use of accredited systems does not ensure a system is fit-for-purpose, suits business processes, or meets provider obligations to protect program data.
  • The department will not endorse a move from an accredited TPES to another with less advanced accreditation.

Provisional Plus accreditation

  • The department has limited assurance the TPES has safeguards to protect program data, and the department considers the risk to us is acceptable.
  • Providers will generally be able to start using this TPES, subject to endorsement by the department.

Proposed TPES undergoing accreditation

The vendor has signed a deed with the department and have commenced the accreditation process. Please contact the vendor directly if your organisation wishes to use it in the future to ensure the features you want to use are covered within the scope.

    Proposed system Deed execution date
    Alffie 3/10/2019
    Aible 12/8/2020

    aXcelerate

    The department advises providers that aXcelerate have chosen not to continue towards accreditation.

    For third party employment system vendors

    TPES handling information or data relating to programs delivered by the department must gain and maintain accreditation prior to use by our providers.

    Vendors who are unsure whether their systems require accreditation should contact the Security Compliance Support mailbox with the following information:

    • outline of the system and services offered
    • how the system will assist providers to deliver our programs, and which programs are proposed
    • an overview of the system design and access, such as high level architecture, data centre locations, access, authentication, administrative staff locations
    • how the system is intended to inter-operate with the department’s system, such as daily bulk download and upload of data, real-time via APIs
    • the scope of any existing IT security certifications or accreditations maintained
    • the providers considering your system.