Digital Information Assurance / IT Security Compliance

For: 

The Department of Jobs and Small Business (the department) undertakes a range of digital information assurance activities to support the delivery of employment services. Information about third party IT / employment systems requirements is provided below.

Background / Applicability

The Department of Jobs and Small Business (the Department) uses a network of Contracted Employment Service Providers (Providers) to deliver its programmes. To support the delivery and management of these programmes, the Providers’ staff have access to various Department of Jobs and Small Business IT systems. The Department’s IT systems are also used to support a number of programmes administered by other government departments. The Providers may also develop their own systems for use by their staff in the delivery of programme services. Alternatively, Providers may give their staff access to employment systems developed by a Third Party IT vendor – as long as the Department has accredited those specific systems. Note: This requirement is stipulated in the Deed between the Provider and the respective department.

The Department’s accreditation of Third Party employment systems is required where:

  • a Third Party IT system interoperates in any way with any of the Department’s systems; or
  • a Provider has a deed with any government body that stipulates the Provider is to only use Third Party employment systems accredited by the Department (DoJSB) – irrespective of whether DoJSB is a party to the deed.

The accreditation of Third Party employment systems provides the Department with assurance that they have safeguards to protect programme data and information. Accreditation by the Department is for the benefit of the Department, and does not provide any warranty to Providers that the Third Party employment systems are fit for their use or are Deed compliant.

This webpage provides details for:

  • Providers – to determine which Third Party IT Systems have been accredited for use, for what function/ purpose, and details of any accreditation caveats that may restrict use of the system; and
  • Third Party employment system vendors – to understand the steps required to get a Third Party employment system accredited for use by Providers.

For Providers – what Third Party IT Systems are accredited

The Department accredits select systems and not the Third Party employment system vendors. Systems are accredited for the functionality as at the date of accreditation. Alteration of system design or functionality requires re-certification by the Department. Providers should check with their Third Party employment system vendors to ensure the Department has accredited the functionality they intend to use. ie. any functionality added after the ‘accreditation date’ is not ‘accredited’ for use unless the Third Party employment system has been re-accredited or partially re-accredited since the new functionality was added. If a system has undergone a ‘partial re-accreditation’, then the most recent partial re-accreditation date will be listed.

Any feature or changes added since the last accreditation or partial reaccreditation date are NOT accredited for use by Providers.

In March 2018 the Department announced that the Third Party employment system accreditation process, which included reaccreditation, was put on hold. The cyber risks and safeguarding practices have evolved significantly since these systems were initially accredited in 2016-17. This hold was to ensure that the accreditation process took the reality of this new environment into account. Third Party employment systems with accreditations expiring before 1 December 2018 were extended to that date.

In September 2018 the Department announced the updated Third Party employment system accreditation process to all currently engaged Third Party employment system vendors.

The status of the accreditation of Third Party employment systems is outlined in the table below. Providers may use systems(s) which have been accredited – subject to accreditation caveats as detailed below.

Accreditation Status & Caveats

Accredited Third Party Provider Accreditation Status & Caveats*1*2 Accredited System(s) Notes Accreditation Expiry
Be Software Restricted Accreditation iignite - Expired
Hivetec Provisional Accreditation Bridge, Analytics - 30/04/2019
JobReady Provisional Accreditation Neptune - 30/04/2019
KV Interactive Limited Accreditation JDE-MAX - 18/01/2019
MyWorkSearch Not Accreditated ApTem - Expired
SoNET Systems Provisional Accreditation iCase - 30/04/2019
Leading Directions Provisional Accreditation BuddyNote,
Performance Reports
DES Only

*1 Refer to the Details of Accreditation Caveats section below for explanation of Status & Caveats.
*2 Accreditation status may not be updated immediately, Providers should confirm the status with the Department before entering into formal negotiations.

Details of Accreditation Caveats

The accreditation of Third Party employment systems provides the Department with assurance that they have safeguards to protect programme data and information. Accreditation by the Department is for the benefit of the Department, and does not provide any warranty to Providers that the Third Party employment systems are fit for their use or are Deed compliant.

Accredited

  • Systems (with functionality as at the Accreditation date, or as at the date of a listed partial re-accreditation) are accredited for use by Providers.
  • Providers can chose to start using these systems, subject to endorsement from the Department. This does not remove the requirement for the Provider to ensure this system is fit-for-purpose, suits their business processes, or meets their obligation to protect programme data.
  • The Department will not endorse a Provider to move from a fully accredited Third Party employment system to another with only Provisional Plus accreditation, nor to any Third Party employment systems with a less advanced accreditation or reaccreditation.

Provisional Accreditation

  • This caveat indicates that there is either an operational requirement, and/ or a technical requirement, that is being actively addressed.
  • Existing Users - Systems may be used by existing users only. (Use is limited to functionality as at the time of accreditation).
  • New Users – new users or increased functionality use of these systems is unauthorised until the Provisional caveat is removed.

Provisional Plus Accreditation

  • This caveat indicates that the Department has some limited assurance that the Third Party employment system has safeguards to protect programme data, and the risk associated with limited assurance is considered acceptable for the Department.
  • Providers will generally be able to start using this Third Party employment system, subject to endorsement by the Department. This does not remove the requirement for the Provider to ensure this system is fit-for-purpose, suits their business processes, or meets their obligation to protect programme data.
  • Any Third Party employment systems vendors that has not met the accreditation requirement by 1 May 2019 will be regarded as moving to Limited accreditation status.

Limited Accreditation

  • This caveat indicates that the Third Party employment system is NOT on track for accreditation or reaccreditation.
  • New Users – new users or increased functionality use of these systems is unauthorised until the caveat is removed.
  • Existing Users
    • Systems may continue to be used by existing users only. (Use is limited to functionality as at the time of accreditation).
    • A Third Party employment system that has a Limited Accreditation status on 1 February 2019 will become Restricted Accreditation. 

Restricted Accreditation

  • This caveat indicates that the Third Party employment system’s accreditation is considered expired. It will arise if the Third Party employment  system vendor has either:
    • Indicated that they are not seeking reaccreditation of their product, or
    • Has not made sufficient, timely progress with reaccreditation to assure the Department that security risks are managed.
  • Existing users - Existing users of the system are to implement their transition plans, and to cease using the Third Party employment system as soon as possible. Providers requiring more than 30 days are to contact the Department.
  • New Users are not permitted.

Third Party Employment Systems Accreditation

Third Party IT Systems that are designed, or specifically configured, to handle information or data that relates to Government programmes delivered by the Department, and which are operationally managed by the Third Party employment system vendor, must gain and maintain accreditation with the Department prior to use by Providers and/or handling ANY data. Any Third Party IT system that interoperates in any way with the Department’s systems must be accredited by the Department.

Third Party employment system vendors who are unsure whether their systems require accreditation by the Department are encouraged to contact the Security Compliance Support mailbox.

Providing the following information will allow us to determine whether a deed is required:

  • Outline of the system(s) and/or services that are offered/ delivered.
  • The nature of how these systems are delivered, e.g. Software as a Service (SaaS), Cloud Service, contracted outsourcing.
  • How this system assists Providers to deliver Australian Government Programmes, and which programmes.
  • An overview of system design and access, e.g. basic architecture, data centre location(s), access, authentication, admin staff location(s).
  • If the Third Party employment systems are intended to inter-operate with the Department’s system, directly or indirectly, then explain how e.g. daily bulk download and upload of data, real-time via screen scraping, real-time via APIs.
  • Any existing IT Security certification or accreditations held.
  • The Providers using, or considering your product, and the Government Programmes they are to be used for.