Digital Information Assurance / IT Security Compliance

For: 

The Department of Employment, Skills, Small and Family Business (the department) undertakes a range of digital information assurance activities to support the delivery of employment services.

Background

The department uses a network of Contracted Employment Service Providers (Providers) to deliver its programmes. To support this, Providers access various departmental IT systems which also support programmes administered by other Government departments. Providers may also develop their own systems or use accredited employment systems developed by third party vendors.

Assurance of employment systems is required where:

  • a third party IT system interoperates in any way with any of the department’s systems
  • a Provider has a Deed with any government body that stipulates the Provider is to only use third party employment systems accredited by the department.

Accreditation provides assurance that there are safeguards to protect programme data and information.

Providers – Use of an Accredited Third Party Employment System

Any Provider choosing to use a Third Party Employment System (TPES) has a responsibility under their Deed to ensure the system is secure before using it to process, store or communicate data relating to the delivery of Government programmes.

Any intention to change an accredited TPES must be explicitly authorised by the department.

Accreditation provides the department with assurance that each system has adequate safeguards to protect programme data and information. Accreditation is for the benefit of the department, and is not a warranty that a TPES is fit for its intended use or for a Provider’s specific business processes.

To reduce Provider costs, the department works directly with TPES vendors to assess and accredit their systems. This also makes it quicker and easier for Providers wishing to purchase or change TPES. Alternatively, the department provides secure in-house IT systems that can be used as-is by Providers to meet their obligations under their deeds.

Accreditation of a TPES is valid for up to two years from the date granted. Unless otherwise advised by the department, systems must be reaccredited before the accreditation’s expiry date in order to ensure continuity of use.

What third party IT systems are accredited?

The department only accredits a specific TPES, not vendors, and does not recommend the use of any particular TPES.

Systems are accredited for functionality at the date of accreditation, but any changes to system design or functionality require reaccreditation by the department.

Any functionality added after the accreditation date is not accredited for use without reaccreditation or partial reaccreditation. If a system has undergone a partial reaccreditation, then the most recent partial reaccreditation date will be listed.

The current reaccreditation process began during October 2018, and expiry has been extended to 30 June 2019. There will be no further extensions beyond 30 June 2019.

The accreditation status of the third party employment systems is outlined in the table below.

Accreditation Status

Third Party Vendor Accreditation Status Accredited System Notes Accreditation Expiry
JobReady Provisional Plus Neptune Note 1 -
Hivetec Provisional Plus Bridge Note 2 -
KV Interactive Provisional JDE-MAX Note 3 30/6/2019
SoNET Systems Provisional iCase Note 4 30/6/2019
Leading Directions Provisional BuddyNote, Performance Reports DES Only -
Be Software Not Accredited Iignite - Expired
MyWorkSearch Not Accredited ApTem - Expired
Note 1 - The existing JobReady system is accredited to be used to support jobactive, ParentsNext and Disability Employment Services. However the email feature using Mandrill is not accredited. Note 2 - The existing Bridge system is accredited to be used to support jobactive, Disability Employment Services, Work for the Dole, Career Transition Assistance, Empowering YOUth Initiatives, Harvest Labour Service, Launch into Work, National Work Experience Programme, New Enterprise Incentive Scheme, ParentsNext, Stronger Transitions, Time to Work, Transition to Work and Youth Jobs PaTH. However the email feature is not accredited. Note 3 - The department have received a draft report from KVI and their audit team. Their existing JDE-MAX system will retain a provisional accreditation while their new system is undergoing accreditation. While KVI maintain focus on the accreditation exercise for their replacement system, existing customers are able to continue to use JDE-MAX. The department maintains its advice at this stage that no new customers should be onboarded to JDE-MAX until further notice. Note 4 - We understand that SoNET are working closely with their audit team to progress the verification that their ICT controls are operating effectively. This fieldwork has not yet been completed. This engagement includes assessing the risk to program records as a result of SoNET recently joining RM Results (UK parent company). The department are assessing progress with weekly confirmations from the audit partner as to which controls have and haven’t yet been verified. While SoNET maintain focus on the reaccreditation exercise, existing customers are able to continue to use iCase at this time. The Department maintains its advice at this stage that no new customers should be onboarded to iCase until further notice. - indicates "None".

Accredited

  • Systems (with explicitly assessed functionality) accredited for use by Providers.
  • Use of accredited systems does not ensure a system is fit-for-purpose, suits business processes, or meets Provider obligations to protect programme data.
  • The department will not endorse a move from a fully accredited third party employment system to another system with less advanced accreditation or reaccreditation.

Provisional Accreditation

  • Systems which have already met specific requirements and are being actively assessed for full accreditation or reaccreditation.
  • Provisionally accredited systems may be used by existing users only (limited to functionality already in use).
  • New users or the use of increased functionality is not authorised.

Provisional Plus Accreditation

  • The department has limited assurance the third party employment system has safeguards to protect programme data, and the department considers the risk acceptable.
  • Providers will generally be able to start using this third party employment system, subject to endorsement by the Department.

Limited Accreditation

  • Limited Accreditation systems are NOT on track for accreditation or reaccreditation.
  • New users or increased functionality use is unauthorised.
  • Existing users may continue to use their existing systems where they are limited to accredited functionality only.

Expired

  • Accreditation will expire if the third party employment system vendor:
    • withdraws their product and no longer requires accreditation
    • will not be seeking reaccreditation for their product
    • has not made sufficient, timely progress with reaccreditation to assure the department that security risks are managed.
  • Existing users of expired systems must implement their transition plans and cease using the system as soon as possible. Providers requiring more than 30 days must contact the Department.
  • New use is not permitted.

Third Party Employment Systems - Vendors

Third party employment systems handling information or data relating to programmes delivered by the department must gain and maintain accreditation prior to use.

Third party employment system vendors who are unsure whether their systems require accreditation should contact the Security Compliance Support mailbox with the following information:

  • Outline of the system and services offered
  • The nature of how these systems are to be delivered: eg software as a service (SaaS), cloud service, contracted outsourcing
  • How this system will assist Providers to deliver our programmes, and which programmes
  • An overview of system design and access: basic architecture, data centre locations, access, authentication, admin staff locations
  • How the third party employment systems are intended to inter-operate with the department’s system: daily bulk download and upload of data, real-time via screen scraping, real-time via APIs
  • Any existing IT security certifications or accreditations maintained
  • The Providers considering your system.