All four Victorian government agencies recently examined by the state’s privacy commissioner have been found to be only partially effective at ensuring the third parties they share public sector information with are securing it.
The Office of the Victorian Information Commission (OVIC) this week released an audit [pdf] into the compliance of the entities with standard eight of the protective data security standards (VPDSS).
It looked the Department of Environment, Land, Water and Planning (DELWP), Department of Jobs, Precincts and Regions (DJPR), Transport Accident Commission (TAC) and WorkSafe Victoria.
“While the audit considered none of the organisations completely effective across all four audit criteria, there were a wide range of practices and procedures the organisations had implemented at varying levels of effectiveness,” commissioner Sven Bluemmel said.
One area of concern for OVIC is that all agencies are only ‘partially effective’ at identifying and responding to changes to information security risks through the life of a contract with a third-party.
Both TAC and WorkSafe were found to have “strong contractual clauses requiring a third-party to report information security incidents”, but this was not the case with DJPR and DELWP.
OVIC said it was “unable to determine” whether DJPR had “effective contractual controls requiring third parties to report incidents.
Contract clauses were similarly difficult to locate at DELWP due its use of the Department of Premier and Cabinet-owned head agreements to engage contractors.
Cyber incident management and response more generally was found to be effective at three of the four agencies, with only WorkSafe unable to provide an information security incident policy.
Elsewhere in the audit, only two of the four agencies were “able to demonstrate to OVIC that they effectively protected public sector information at the conclusion of a third-party engagement”.
“The remaining two organisations requirement improvement in this area, as it is an integral part of ensuring public sector information is protected,” the report said.
“Those organisations demonstrated a heavy reliance on the third-party returning or destroying the public sector information without the input or oversight from the organisation.”
All agencies had a process for assessing risk prior to entering a third-party arrangement, but again with “varying degrees of effectiveness”.
DELWP and TAC – which conducted infosec risk assessments on third parties prior to a procurement – were considered effective, while DJPR and WorkSafe were labelled only partially effective.
Three of the agencies – TAC, DELWP and WorkSafe – were also found to be partially effective at ensuring third parties are meeting their security obligations.
The report made a number of recommendations, including that DELWP implements its “proposed draft process for protecting information at the conclusion of a third-party arrangement”.
DJPR, meanwhile, was told to engage a “consultant to review its practices and procedures for managing security risks when sharing information with third parties” after initially failing to provide adequate material to OVIC.
“The failure to provide material initially may suggest there is a lower level of understanding about their procedures across DJPR,” the report said.
Bluemmel said the report “suggests that there are many opportunities for strengthening management of information security risks across the public sector”.
The report comes a week after Deakin University, which is also subject to the VPDSS standards, revealed a data breach impacting almost 47,000 current and past students.
The attack was able to access information held by a third-party provider by accessing a single set of staff member credentials.