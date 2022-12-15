ATO, AFP and DFAT outsourced IT deals screened on security grounds

By on
ATO, AFP and DFAT outsourced IT deals screened on security grounds

Audit asks agencies to draft and track specific security SLAs.

Outsourced IT providers to federal government agencies aren’t being measured on the extent to which they deliver services to expected cyber security standards, an audit has found.

The audit covering three agencies - the Australian Taxation Office (ATO), the Australian Federal Police (AFP) and the Department of Foreign Affairs and Trade (DFAT) - was published late on Wednesday. [pdf]

It examined three outsourced IT arrangements - one at each agency - and the extent to which these contracts - and the ensuing period of contract management after that - verified compliance with the Protective Security Policy Framework (PSPF) requirements on agencies, as well as the ACSC’s Information Security Manual (ISM) and the agencies’ own security policies.

The PSPF, in particular, covers the mandate on agencies to implement ‘Essential Eight’ cyber security controls to a certain standard.

“All selected contracts required contracted providers to adhere to the PSPF, ISM and entity internal policy requirements,” the auditor found.

“None of the entities [the agencies] had processes, performance measures and service level agreements related to managing non-compliance with PSPF, ISM and entity internal policy requirements. 

“Further, none of the entities had processes for verifying the reliability of cyber security related performance information provided by contracted providers.”

Auditor-General Grant Hehir noted that reliance on outsourcers and contractors across government heightened the risk of security issues for agencies.

SLAs and KPIs for contracts tended to focus “on the management of services, such as maintenance activities and availability of systems.”

Hehir saw a need for specific metrics on security compliance to be baked into outsourcing contracts, so that performance could be verified on an ongoing basis.

“The specification of important security considerations should be documented in the contract and service level agreements,” the Auditor-General wrote.

“This ensures that the security considerations are verifiable and enforceable.”

The three agencies largely agreed to make changes to the way security requirements are assessed and written into outsourced IT contracts.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
afpatocybersecuritydfatsecurity

Sponsored Whitepapers

Using Cloud-Based, AI-Driven Management to Improve Network Operations
Using Cloud-Based, AI-Driven Management to Improve Network Operations
The Business Value of AIOps-Driven Network Management
The Business Value of AIOps-Driven Network Management
The AI-Driven Campus: Using artificial intelligence for the campus networks of the next decade
The AI-Driven Campus: Using artificial intelligence for the campus networks of the next decade
Bringing AI To Enterprise Networking: The Journey to better experiences with AIOps
Bringing AI To Enterprise Networking: The Journey to better experiences with AIOps
Adjusting to a New Era in Ransomware Risk
Adjusting to a New Era in Ransomware Risk

Events

Most Read Articles

AFP arrests four over crypto, investment scams

AFP arrests four over crypto, investment scams
Gov sets target to make Australia "most cyber secure country" by 2030

Gov sets target to make Australia "most cyber secure country" by 2030
Telstra blames privacy breach on 'database misalignment'

Telstra blames privacy breach on 'database misalignment'
CLOUD Act treaty should be ratified, says committee

CLOUD Act treaty should be ratified, says committee

Digital Nation

Case Study: How HCF reengaged its customers through data and analytics
Case Study: How HCF reengaged its customers through data and analytics
Cover Story: The business of gaming will reshape marketing, technology
Cover Story: The business of gaming will reshape marketing, technology
Meta threatens to take news off its platform in the US. Yep, we're here again
Meta threatens to take news off its platform in the US. Yep, we're here again
Case study: Transurban uses automation to detect road incidents
Case study: Transurban uses automation to detect road incidents
Case study: How La Trobe University sets its data students up for success
Case study: How La Trobe University sets its data students up for success

Log In

  |  Forgot your password?