Select Page

Audit: Vic privacy watchdog uncovers third-party infosec risks at four agencies | iTnews

Posted by | Jul 22, 2022 | , , , , , , , , | 0 |

Audit: Vic privacy watchdog uncovers third-party infosec risks at four agencies | iTnews

Australian Audit Report 22 July 2022

Victorian privacy watchdog uncovers third-party infosec risks at four agencies

Agencies only partially effective at ensuring that third parties are securing public sector information

OVIC Report: Standard 8 of the Victorian Protective Data Security Standards: Audit of information security in third-party arrangements
Vic privacy watchdog uncovers third-party infosec risks at four agencies | iTnews

Read more Audit Reports and Victoria

All four Victorian government agencies recently examined by the state’s privacy commissioner have been found to be only partially effective at ensuring the third parties they share public sector information with are securing it.

The audit covered the Department of Environment, Land, Water and Planning (DELWP), Department of Jobs, Precincts and Regions (DJPR), Transport Accident Commission (TAC) and WorkSafe Victoria.

To reach an audit conclusion OVIC assessed the Organisations against four criteria:

  1. How the Organisation assesses the security risks of entering an engagement with a third-party;
  2. How the Organisation identifies and responds to changes to risk through the life of an
    engagement;
  3. How the Organisation ensures that third-parties are meeting their security obligations.; and
  4. How the Organisation protects information at the conclusion of a third-party engagement.

OVIC’s Assessment of each Organisation
OVIC’s Assessment of each Organisation

Recommendations

As a result of this audit OVIC made the following recommendations to each Organisation.

 

TAC

  • Recommendation 1
    That TAC implements a process for ensuring its monitoring and assurance activities are performed in accordance with the level of risk.
  • Recommendation 2
    That TAC implements its ‘partnered’ approach of managing engagements and implement an assurance mechanism that factors in the risk rating of the third-party arrangement.

 

WorkSafe

  • Recommendation 3
    That WorkSafe implements clear policy and guidance material with respect to:
    • assessing security risks of entering an engagement with a third-party;
    • identifying and responding to risk through the life of a third-party engagement;
    • ensuring third-parties meet their security obligations; and
    • protecting information at the conclusion of a third-party engagement.

 

DELWP

  • Recommendation 4
    That DELWP implements policy and procedure documents that address all types of information security incidents.
    That DELWP implements its proposed draft process for protecting information at the conclusion of a third-party arrangement and document it in the form of a policy or procedure.

 

DJPR

  • Recommendation 5
    In comparison to the other three Organisations, DJPR initially provided limited information to OVIC. DJPR had only one representative at the interview, whereas the other agencies ensured that members for all relevant areas were present. In addition to this, the documents and other material provided by DJPR was significantly less than the other Organisations.
    However, upon receipt of the preliminary assessment DJPR provided a comprehensive supplementary response, which included many additional documents and a comprehensive explanation of how DJPR seeks to adhere to Standard 8.
    However, the failure to provide material initially may suggest there is a lower level of understanding about their procedures across DJPR, and it is for this reason that OVIC makes the following recommendation.
  • Recommendation 6
    That DJPR engages an appropriately qualified consultant to review its practices and procedures for managing security risks when sharing information with third-parties and provide recommendations for improvement. OVIC recommends that the following be considered in the review:
    • How DJPR assesses security risks of entering an engagement with a third-party and documenting that process in policy and procedure documentation;
    • The process for third-parties to notify DJPR of information security incidents;
    • The contract management process and how information security is included in those processes; and
    • The change management process for third-parties.
    This process should be overseen by DJPR’s Audit and Risk Committee, and DJPR should provide a copy of the consultant’s report and its proposed response to OVIC.

 

 

Rate:

About The Author

Steven Kirby

I provide independent and practical consultancy services through raising awareness and fostering the energy for change that delivers improved business management of information security governance, risk and compliance.

Related Posts

Incident: Queensland transport department email accounts hacked | ABC News (Australia)

Incident: Queensland transport department email accounts hacked | ABC News (Australia)

March 14, 2018

Incident: ACT government hit by cyber security breach | AAP

Incident: ACT government hit by cyber security breach | AAP

June 8, 2023

Audit: Queensland Audit Office’s State Entities 2022 reports deficiencies in information systems

Audit: Queensland Audit Office’s State Entities 2022 reports deficiencies in information systems

March 16, 2023

Incident: Auto services firm Inchcape Australian hit by Windows Ransomexx ransomware | iTWire

Incident: Auto services firm Inchcape Australian hit by Windows Ransomexx ransomware | iTWire

December 14, 2020

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please follow the Source link to the original article to support the content owner. We only provide a brief summary with metadata to assist in categorisation.

More Australian News

State Library of NSW responding to April cyber intrusion
State Library of NSW responding to April cyber intrusion

Library services remain offline following “suspicious activity in our catalogue”; services are expected to be back online by the end of the month. • … [...]

Directors told to stop admiring the AI problem and start governing it - AICD
Directors told to stop admiring the AI problem and start governing it - AICD

Directors told to stop admiring the AI problem and start governing it Friday, 15 May 2026 Brisbane played host to the AICDs’ Tech Governance Forum last … [...]

Student hackers take on 'ethical battle' beyond cyber attacks and exploits
Student hackers take on 'ethical battle' beyond cyber attacks and exploits

When more than 100 hackers meet in a room, it might be a good idea to update your password. But these cybersecurity sleuths have gathered for a good … [...]

How Australia's ASIC v FIIG decision supports your cyber investment business case
How Australia's ASIC v FIIG decision supports your cyber investment business case

What you need to know First AFSL cyber penalty: FIIG's $2.5 million penalty is the first cyber security penalty under general financial services … [...]

APRA and ASIC Sound the AI Alarm for Boards and Executives
APRA and ASIC Sound the AI Alarm for Boards and Executives

What you need to know APRA and ASIC have sent powerful messages to regulated entities regarding AI, cyber security and operational resilience in … [...]

Exclusive: INC Ransom claims cyber attack on Australian engineering service company
Exclusive: INC Ransom claims cyber attack on Australian engineering service company

Threat actors have claimed a cyber attack on an Australian engineering solutions company and are threatening to publish data they allegedly … [...]

Exclusive: Major cleaning and facility services firm confirms third-party cyber incident
Exclusive: Major cleaning and facility services firm confirms third-party cyber incident

Major private cleaning and facility services firm Menzies Group has confirmed a cyber incident that occurred after a third-party IT provider was … [...]

Exclusive: Australian College of Business Intelligence investigating Qilin ransomware claims
Exclusive: Australian College of Business Intelligence investigating Qilin ransomware claims

A Sydney-based vocational college has found no evidence of compromised student data after being listed on the leak site of a prolific hacking group. • … [...]

Victorian bulk porting scammer gets over two years in prison
Victorian bulk porting scammer gets over two years in prison

A 35-year-old man from Lynbrook, south-east Melbourne, has received a prison sentence of two years and two months, with a 12-month non-parole period, … [...]

NSW cyber cops bust alleged bullion-buying BEC bandits
NSW cyber cops bust alleged bullion-buying BEC bandits

NSW Police have charged three people over an alleged $600,000 business email compromise (BEC) scam operation, after detectives caught a young woman … [...]

Miners’ data targeted as hackers hold software provider to ransom
Miners’ data targeted as hackers hold software provider to ransom

Dozens of Australian mining companies are scrambling to access their key technology systems after a major software supplier to the sector was … [...]

Instructure dealing with Canvas cyberhackers a dangerous tactic, say experts
Instructure dealing with Canvas cyberhackers a dangerous tactic, say experts

The company that runs Canvas has painted a target on its back for future extortion attempts by making a deal with hackers, according to cybersecurity … [...]

Shares
Share This

Discover more from Australian Cyber Aware

Subscribe now to keep reading and get access to the full archive.

Continue reading