Select Page

Audit: Vic privacy watchdog uncovers third-party infosec risks at four agencies | iTnews

Audit: Vic privacy watchdog uncovers third-party infosec risks at four agencies | iTnews

Australian Audit Report 22 July 2022

Victorian privacy watchdog uncovers third-party infosec risks at four agencies

Agencies only partially effective at ensuring that third parties are securing public sector information

OVIC Report: Standard 8 of the Victorian Protective Data Security Standards: Audit of information security in third-party arrangements
Vic privacy watchdog uncovers third-party infosec risks at four agencies | iTnews

Read more Audit Reports and Victoria

All four Victorian government agencies recently examined by the state’s privacy commissioner have been found to be only partially effective at ensuring the third parties they share public sector information with are securing it.

The audit covered the Department of Environment, Land, Water and Planning (DELWP), Department of Jobs, Precincts and Regions (DJPR), Transport Accident Commission (TAC) and WorkSafe Victoria.

To reach an audit conclusion OVIC assessed the Organisations against four criteria:

  1. How the Organisation assesses the security risks of entering an engagement with a third-party;
  2. How the Organisation identifies and responds to changes to risk through the life of an
    engagement;
  3. How the Organisation ensures that third-parties are meeting their security obligations.; and
  4. How the Organisation protects information at the conclusion of a third-party engagement.

OVIC’s Assessment of each Organisation
OVIC’s Assessment of each Organisation

Recommendations

As a result of this audit OVIC made the following recommendations to each Organisation.

 

TAC

  • Recommendation 1
    That TAC implements a process for ensuring its monitoring and assurance activities are performed in accordance with the level of risk.
  • Recommendation 2
    That TAC implements its ‘partnered’ approach of managing engagements and implement an assurance mechanism that factors in the risk rating of the third-party arrangement.

 

WorkSafe

  • Recommendation 3
    That WorkSafe implements clear policy and guidance material with respect to:
    • assessing security risks of entering an engagement with a third-party;
    • identifying and responding to risk through the life of a third-party engagement;
    • ensuring third-parties meet their security obligations; and
    • protecting information at the conclusion of a third-party engagement.

 

DELWP

  • Recommendation 4
    That DELWP implements policy and procedure documents that address all types of information security incidents.
    That DELWP implements its proposed draft process for protecting information at the conclusion of a third-party arrangement and document it in the form of a policy or procedure.

 

DJPR

  • Recommendation 5
    In comparison to the other three Organisations, DJPR initially provided limited information to OVIC. DJPR had only one representative at the interview, whereas the other agencies ensured that members for all relevant areas were present. In addition to this, the documents and other material provided by DJPR was significantly less than the other Organisations.
    However, upon receipt of the preliminary assessment DJPR provided a comprehensive supplementary response, which included many additional documents and a comprehensive explanation of how DJPR seeks to adhere to Standard 8.
    However, the failure to provide material initially may suggest there is a lower level of understanding about their procedures across DJPR, and it is for this reason that OVIC makes the following recommendation.
  • Recommendation 6
    That DJPR engages an appropriately qualified consultant to review its practices and procedures for managing security risks when sharing information with third-parties and provide recommendations for improvement. OVIC recommends that the following be considered in the review:
    • How DJPR assesses security risks of entering an engagement with a third-party and documenting that process in policy and procedure documentation;
    • The process for third-parties to notify DJPR of information security incidents;
    • The contract management process and how information security is included in those processes; and
    • The change management process for third-parties.
    This process should be overseen by DJPR’s Audit and Risk Committee, and DJPR should provide a copy of the consultant’s report and its proposed response to OVIC.

 

 


About The Author

Steven Kirby

I provide independent and practical consultancy services through raising awareness and fostering the energy for change that delivers improved business management of information security governance, risk and compliance.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please follow the Source link to the original article to support the content owner. We only provide a brief summary with metadata to assist in categorisation.

More Australian News

How a notification wiped a business from social media | A Current Affair

Like most small businesses, Rebecca relies on social media for her brand. She spent years building her skincare line, even paying for ads on the platforms. But within seconds- it [...]

Key Trends in Cyber Security and Data Privacy (2026): a General Counsel lens

Cyber security and data privacy are now core governance tests - demanding clear decision-making authority, disciplined escalation and evidence … [...]

Australia’s New ADM Transparency Obligation: OAIC Signals a Broad Reading Ahead of December 2026

On 18 May 2026, the Office of the Australian Information Commissioner (OAIC) released its Issues Paper on the new automated decision-making (ADM) … [...]

Tracking pixels are one of many tracking tools that are often used by businesses to gain insights and target advertising effort across the internet … [...]

Legacy systems may be out of sight, but they're rarely risk-free. From forgotten databases to unsupported software, ageing technology gives attackers … [...]

Unfolding in real time: Artificial intelligence is reshaping cybersecurity

Key takeaways The cybersecurity capability of next-generation frontier artificial intelligence (AI) models is increasing rapidly. Large language … [...]

NSW Government Bulletin: Managing employee social media content in the public sector

Over recent years, the increase in social media activity across different platforms has facilitated opportunities for employees to comment on a broad … [...]

Australia: Pixel Perfect – The regulator addresses use of tracking pixels

On 11 June 2026, the Office of the Australian Information Commissioner (OAIC) published two determinations against Medmate Australia Pty Ltd (Medmate) … [...]

Discover how modern corporate investigations are shifting from email to chat and encrypted apps. Learn essential strategies for defensible forensic… [...]

Australian Cyber Aware - As It Was 2606 - June 2026

This monthly review provides a curated summary of Australian and New Zealand cyber, privacy, and information security developments identified during … [...]

Key Trends in Cyber Security and Data Privacy (2026): a General Counsel lens - Governance Institute of Australia

Cyber security and data privacy are now core governance tests – demanding clear decision-making authority, disciplined escalation and evidence that … [...]

Shares
Share This

Discover more from Australian Cyber Aware

Subscribe now to keep reading and get access to the full archive.

Continue reading