ThirdPartyITProvider(TPITP)Deed,CertificationandAccreditation
TheDepartmentisrequiredtocomplywiththe:
- Attorney-General’sDepartment,ProtectiveSecurityPolicyFramework(PSPF)
- DepartmentofDefence,InformationSecurityManual(ISM)
- PrivacyAct
ProvidersusingasystemotherthantheDepartment’sITSystemsmustcomplywiththesecurityrequirementssetbytheDepartment.
InaccordancewiththejobactiveDeed(clause32.2),ProvidersarerequiredtonotifytheDepartmentiftheyintendtouseaThirdPartySystem.ProvidersmustnottransferelectronicRecordsto,orstoreelectronicRecordswiththirdpartydatahostingentities,includingcloudstorageproviders,withoutthepriorwrittenapprovaloftheDepartment.
ProvidersmayonlyuseaThirdPartySystemiftheThirdPartyITProvider(TPITP)hasenteredintotheThirdPartyITProviderDeedwiththeDepartment.TheTPITPDeedcreatesadirectlegalrelationshipbetweentheDepartmentandtheTPITPwhichisindependentofthecontractedjobactiveProvider.ThiswillenhancetheDepartment’sabilitytoenforceremedieswithaTPITPshouldtheneedarise.TheTPITPDeedrequiresthattheTPITP’sITsystemisassessedandaccreditedashavingappropriatecontrolstoaddresssecurityanddataprotectionrisks,andthatthesystemisconsistentinusagewiththeDepartment’sITSystems.TheTPITPDeedwillensurethatanyThirdPartyITsystemhasahighstandardofcontrolofsensitiveandpersonaljobseekerinformation.
Allsystemsmustensuretheprivacyandsecurityoftheinformationtheyhold.InaccordancewiththejobactiveDeed(clause32.4),in-housesystemsusedinsteadoforasanadd-ontotheDepartment’sITSystems(i.e.ProviderITSystems)willalsoneedtocomplywiththesecurityrequirementsprovidedintheStatementofApplicability.
RecordsinThirdPartySystemsneedtobedealtwithinaccordancewiththeRecordsManagementInstructions(RMI).
ThefollowingorganisationshaveexecutedThirdPartyITProviderDeedswiththeDepartment:
- BESoftwareInternationalPtyLtd
- JNSolutions
- JobReady
- MyWorkSearchPtyLtd
- SelwayandWeewandaPtyLtd(akaKVInteractive)
- SonetSystemsPtyLtd
- SecureYourDomainPtyLtdTradingasDataNova
- BucanHoldingsPtyLtdTradingasAxelera
- BrennanIT
- BrennanVoice
Certification
CertificationisawardedbytheDepartmentafteraninitialassessmentbyanInformationSecurityRegisteredAssessorsProgram (IRAP)AssessorissubmittedandacceptedbytheDepartment.ThereportsubmittedtotheDepartmentmayincludeunimplementedcontrols.
Before1January2016
Before1January2019there-certificationagainstthefullISMfromaregisteredIRAPassessormustbesubmittedtotheDepartmentforassessment.
Accreditation
ThirdPartySystemsmustbeaccreditedagainsttheISMwithinsixmonthsofenteringintoanagreementwiththeDepartment.
TheDepartmentwillmaintaintheaccreditationauthorityanddetermineifthe IRAPauditandassessmentiscompletedandacceptable.
AccreditedThirdPartyITProviders
ThefollowingprovidershavebeenaccreditedbytheDepartmentupto,andincluding,UNCLASSIFIED(DLM)aspertheAustralianGovernmentsecurityclassificationscheme.
- BeSoftware—iinsightandiignitesystems
- JNSolutions—BridgeandAnalyticssystems
- MyWorkSearch–Aptemsystem(InterimApproval to Operate)
- JobReady – Neptune system
- SoNET – iCase system
TheDepartmentaccreditsselectsystemsnottheentireprovider.
Forfurtherdetails,pleasecontacttheDepartmentbyemailingthefollowingmailbox:.