Audit: Vic privacy watchdog uncovers third-party infosec risks at four agencies | iTnews
Australian Audit Report 22 July 2022
Victorian privacy watchdog uncovers third-party infosec risks at four agencies
Agencies only partially effective at ensuring that third parties are securing public sector information
OVIC Report: Standard 8 of the Victorian Protective Data Security Standards: Audit of information security in third-party arrangements
Vic privacy watchdog uncovers third-party infosec risks at four agencies | iTnews
Read more Audit Reports and Victoria
All four Victorian government agencies recently examined by the state’s privacy commissioner have been found to be only partially effective at ensuring the third parties they share public sector information with are securing it.
The audit covered the Department of Environment, Land, Water and Planning (DELWP), Department of Jobs, Precincts and Regions (DJPR), Transport Accident Commission (TAC) and WorkSafe Victoria.
To reach an audit conclusion OVIC assessed the Organisations against four criteria:
- How the Organisation assesses the security risks of entering an engagement with a third-party;
- How the Organisation identifies and responds to changes to risk through the life of an
- How the Organisation ensures that third-parties are meeting their security obligations.; and
- How the Organisation protects information at the conclusion of a third-party engagement.
OVIC’s Assessment of each Organisation
As a result of this audit OVIC made the following recommendations to each Organisation.
- Recommendation 1
That TAC implements a process for ensuring its monitoring and assurance activities are performed in accordance with the level of risk.
- Recommendation 2
That TAC implements its ‘partnered’ approach of managing engagements and implement an assurance mechanism that factors in the risk rating of the third-party arrangement.
- Recommendation 3
That WorkSafe implements clear policy and guidance material with respect to:
• assessing security risks of entering an engagement with a third-party;
• identifying and responding to risk through the life of a third-party engagement;
• ensuring third-parties meet their security obligations; and
• protecting information at the conclusion of a third-party engagement.
- Recommendation 4
That DELWP implements policy and procedure documents that address all types of information security incidents.
That DELWP implements its proposed draft process for protecting information at the conclusion of a third-party arrangement and document it in the form of a policy or procedure.
- Recommendation 5
In comparison to the other three Organisations, DJPR initially provided limited information to OVIC. DJPR had only one representative at the interview, whereas the other agencies ensured that members for all relevant areas were present. In addition to this, the documents and other material provided by DJPR was significantly less than the other Organisations.
However, upon receipt of the preliminary assessment DJPR provided a comprehensive supplementary response, which included many additional documents and a comprehensive explanation of how DJPR seeks to adhere to Standard 8.
However, the failure to provide material initially may suggest there is a lower level of understanding about their procedures across DJPR, and it is for this reason that OVIC makes the following recommendation.
- Recommendation 6
That DJPR engages an appropriately qualified consultant to review its practices and procedures for managing security risks when sharing information with third-parties and provide recommendations for improvement. OVIC recommends that the following be considered in the review:
• How DJPR assesses security risks of entering an engagement with a third-party and documenting that process in policy and procedure documentation;
• The process for third-parties to notify DJPR of information security incidents;
• The contract management process and how information security is included in those processes; and
• The change management process for third-parties.
This process should be overseen by DJPR’s Audit and Risk Committee, and DJPR should provide a copy of the consultant’s report and its proposed response to OVIC.