Select Page

Audit: Vic privacy watchdog uncovers third-party infosec risks at four agencies | iTnews

Posted by | Jul 22, 2022 | , , , , , , , , | 0 |

Audit: Vic privacy watchdog uncovers third-party infosec risks at four agencies | iTnews

Australian Audit Report 22 July 2022

Victorian privacy watchdog uncovers third-party infosec risks at four agencies

Agencies only partially effective at ensuring that third parties are securing public sector information

OVIC Report: Standard 8 of the Victorian Protective Data Security Standards: Audit of information security in third-party arrangements
Vic privacy watchdog uncovers third-party infosec risks at four agencies | iTnews

Read more Audit Reports and Victoria

All four Victorian government agencies recently examined by the state’s privacy commissioner have been found to be only partially effective at ensuring the third parties they share public sector information with are securing it.

The audit covered the Department of Environment, Land, Water and Planning (DELWP), Department of Jobs, Precincts and Regions (DJPR), Transport Accident Commission (TAC) and WorkSafe Victoria.

To reach an audit conclusion OVIC assessed the Organisations against four criteria:

  1. How the Organisation assesses the security risks of entering an engagement with a third-party;
  2. How the Organisation identifies and responds to changes to risk through the life of an
    engagement;
  3. How the Organisation ensures that third-parties are meeting their security obligations.; and
  4. How the Organisation protects information at the conclusion of a third-party engagement.

OVIC’s Assessment of each Organisation
OVIC’s Assessment of each Organisation

Recommendations

As a result of this audit OVIC made the following recommendations to each Organisation.

 

TAC

  • Recommendation 1
    That TAC implements a process for ensuring its monitoring and assurance activities are performed in accordance with the level of risk.
  • Recommendation 2
    That TAC implements its ‘partnered’ approach of managing engagements and implement an assurance mechanism that factors in the risk rating of the third-party arrangement.

 

WorkSafe

  • Recommendation 3
    That WorkSafe implements clear policy and guidance material with respect to:
    • assessing security risks of entering an engagement with a third-party;
    • identifying and responding to risk through the life of a third-party engagement;
    • ensuring third-parties meet their security obligations; and
    • protecting information at the conclusion of a third-party engagement.

 

DELWP

  • Recommendation 4
    That DELWP implements policy and procedure documents that address all types of information security incidents.
    That DELWP implements its proposed draft process for protecting information at the conclusion of a third-party arrangement and document it in the form of a policy or procedure.

 

DJPR

  • Recommendation 5
    In comparison to the other three Organisations, DJPR initially provided limited information to OVIC. DJPR had only one representative at the interview, whereas the other agencies ensured that members for all relevant areas were present. In addition to this, the documents and other material provided by DJPR was significantly less than the other Organisations.
    However, upon receipt of the preliminary assessment DJPR provided a comprehensive supplementary response, which included many additional documents and a comprehensive explanation of how DJPR seeks to adhere to Standard 8.
    However, the failure to provide material initially may suggest there is a lower level of understanding about their procedures across DJPR, and it is for this reason that OVIC makes the following recommendation.
  • Recommendation 6
    That DJPR engages an appropriately qualified consultant to review its practices and procedures for managing security risks when sharing information with third-parties and provide recommendations for improvement. OVIC recommends that the following be considered in the review:
    • How DJPR assesses security risks of entering an engagement with a third-party and documenting that process in policy and procedure documentation;
    • The process for third-parties to notify DJPR of information security incidents;
    • The contract management process and how information security is included in those processes; and
    • The change management process for third-parties.
    This process should be overseen by DJPR’s Audit and Risk Committee, and DJPR should provide a copy of the consultant’s report and its proposed response to OVIC.

 

 

Rate:

About The Author

Steven Kirby

I provide independent and practical consultancy services through raising awareness and fostering the energy for change that delivers improved business management of information security governance, risk and compliance.

Related Posts

Incident: Inquiry ordered over Victorian privacy breach involving vulnerable students | ABC News (Australia)

Incident: Inquiry ordered over Victorian privacy breach involving vulnerable students | ABC News (Australia)

April 12, 2017

Incident: Eagers Automotive says IT outage stems from cyber incident | iTnews

Incident: Eagers Automotive says IT outage stems from cyber incident | iTnews

December 29, 2023

Incident: Real estate firm Harcourts latest to suffer data breach | iTWire

Incident: Real estate firm Harcourts latest to suffer data breach | iTWire

November 4, 2022

Incident: NSW Government QR Code data leak exposes over 500,000 sensitive locations | Daily Mail Australia

Incident: NSW Government QR Code data leak exposes over 500,000 sensitive locations | Daily Mail Australia

February 15, 2022

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please follow the Source link to the original article to support the content owner. We only provide a brief summary with metadata to assist in categorisation.

More Australian News

Alert! Wave of fake toll, parking scams impacting countries worldwide, including Australia and New Zealand
Alert! Wave of fake toll, parking scams impacting countries worldwide, including Australia and New Zealand

Scammers observed impersonating Aussie toll operator Linkt and the New Zealand Police and Ministry of Justice. • Wed, 29 Apr 2026 • … [...]

NZ council cyber attack leads to ID and financial data being exposed
NZ council cyber attack leads to ID and financial data being exposed

A cyber attack impacting a New Zealand city council has compromised the data of hundreds of people. • Wed, 29 Apr 2026 • Security *]:clear-none … [...]

Exclusive: NSW-based Strata Republic allegedly breached by Kairos ransomware group
Exclusive: NSW-based Strata Republic allegedly breached by Kairos ransomware group

Hackers claim to have stolen 441 gigabytes of data, including internal correspondence, driver’s licence scans and revealing Christmas party photos. • … [...]

Exclusive: Gelatissimo confirms unauthorised access, investigates DragonForce hack claims
Exclusive: Gelatissimo confirms unauthorised access, investigates DragonForce hack claims

Major Australian ice-cream retailer Gelatissimo has launched an investigation into claims made by hackers that the company was breached in a … [...]

Most Australians leaving data open to cybercriminals
Most Australians leaving data open to cybercriminals

Two-thirds of Australians are sharing key information that makes them easy targets for scammers and cyber criminals. The new research from the Department of Home Affairs also found more than [...]

NSW Treasury staffer charged over major data breach | 7NEWS
NSW Treasury staffer charged over major data breach | 7NEWS

A 45-year-old New South Wales Treasury employee has been arrested and charged with accessing and downloading over 5,500 sensitive government documents containing confidential, commercial and financial information across multiple NSW [...]

Warning Anthropic's Mythos could pose cyber risk to banks and critical infrastructure | The Business
Warning Anthropic's Mythos could pose cyber risk to banks and critical infrastructure | The Business

Australian banks, power providers and infrastructure firms do not have access to test their systems against a powerful new AI cybersecurity risk, Anthropic's Mythos. Anthropic has claimed Claude Mythos is [...]

Australian Army research paper advocates for Australian national cyber reserve force, volunteer cyber organisations
Australian Army research paper advocates for Australian national cyber reserve force, volunteer cyber organisations

A newly published Australian Army Research Centre paper has highlighted the need for Australia to establish an Australian national cyber reserve … [...]

Generation Life informs customers of ‘cyber incident’ as owner shares incident with ASX
Generation Life informs customers of ‘cyber incident’ as owner shares incident with ASX

Australian investment firm Generation Life says there is no evidence of any unauthorised transaction, but is investigating a potential data breach. • … [...]

PAW 2026
PAW 2026

On this page Privacy Awareness Week 2026 Trust is built here. In every privacy complaint. In every resolution. Privacy Awareness Week (PAW) is an annual … [...]

RentTech platforms must stop unfair and excessive personal information collection, says Privacy Commissioner
RentTech platforms must stop unfair and excessive personal information collection, says Privacy Commissioner

A determination issued today by the Privacy Commissioner finds that the 2Apply rental technology platform, operated by InspectRealEstate (IRE), … [...]

Warfare and cyber attacks: Implications for Australian organisations
Warfare and cyber attacks: Implications for Australian organisations

In brief Coordinated cyber-attacks formed an integral part of the lead-up to and the opening phase of the 2026 Iran war, operating in tandem with … [...]

Shares
Share This

Discover more from Australian Cyber Aware

Subscribe now to keep reading and get access to the full archive.

Continue reading