The Australan Government wants to require ICT suppliers and subcontractors to collect and hold evidence of breaches of government data for up to a year under new rules proposed for contractors.
The proposal would also require ICT suppliers to provide written notice of breaches within 12 hours of detecting them.
The Department of Finance has released a draft of the new rules after consulting with the Department of Defence and the Attorney-General’s office.
The rules would be articulated as contractual clauses that would align with the government’s preferred security model, Finance spokesman Mundi Tomlinson wrote on a government blog.
A draft of the new clauses included along with the blog revealed that in the event that a contractor becomes aware of a “cyber incident”, they would be required to comply with agency requests including “obtaining evidence about how, when and by whom the Contractor's information system and/or the Customer Data has or may have been compromised, providing it to the Customer on request, and preserving and protecting that evidence for a period of up to 12 months”.
The new rules would also require contractors to develop an onerous Commonwealth Data Protection Plan (CDPP) to offer services to Australian government customers, unless specifically exempted.
The CDPP would not only be required to comply with the Privacy Act, but also “be consistent with the Australian Government's Protective Security Policy Framework (PSPF) and Information Security Manual (ISM)”. The document would need to “set out the steps and processes that the Contractor and the Customer will follow to protect the Customer Data from unauthorised access, use, misuse, destruction or loss”.
The Department of Finance has given industry stakeholders until September 19 to comment on the proposed rules.