IT Security Compliance

IT security compliance information.

Background / Applicability

The Department of Jobs and Small Business (the Department) uses a network of Contracted Employment Service Providers (Providers) to deliver its programmes. To support the delivery and management of these programmes, the Providers’ staff have access to various Department of Jobs and Small Business IT Systems. The Providers may also develop their own systems for use by their staff in the delivery of the various programmes. Alternatively, Providers may provide their staff with access to IT Systems developed by a Third Party IT Provider (TPITP) – as long as the Department has accredited those specific systems. Note: This requirement is stipulated in the Deed between the Provider and the Department.

The Accreditation of Third Party IT Systems provides the Department with assurance that the Third Party IT Systems have safeguards to protect programme data and information. Accreditation by the Department is for the benefit of the Department, and does not provide any warranty to Providers that the Third Party IT Systems are fit for their use.

This webpage provides details for:

  • Contracted Service Providers – to determine which Third Party IT Systems have been accredited for use, and for what function/purpose; and,
  • Third Party IT Providers – to understand the steps required to having a Third Party IT System accredited for use by Contracted Service Providers for particular programme(s).

Contracted Service Providers - Accredited Third Party IT Systems

Accreditation of a Third Party IT System is valid for up to two (2) years from the date granted. Systems must be re-accredited before the accreditation expiry date to ensure continuity of use by Providers - unless advised by the Department.

The Department accredits select systems and not the Third Party IT Systems Provider. Systems are accredited for the functionality as at the date of accreditation, or as at the date of partial reaccreditation (as listed in the accreditation table below). Any alteration of system design or functionality requires re-certification by the Department. Providers should check with their TPITPs to ensure the Department accredits the functionality they intend to use. ie. any functionality added after the ‘accreditation date’ is not ‘accredited’ for use unless the Third Party IT System(s) has been re-accredited or partially re-accredited since the new functionality was added. If a system has undergone a ‘partial re-accreditation’, then the most recent partial re-accreditation date will be listed.

Re-accreditation is currently ‘ON-HOLD’ by the Department until further notice – this was announced in March 2018. Providers may use systems(s) which have previously gone through accreditation – subject to accreditation caveats as detailed below. Third Party IT Systems with accreditation caveats can continue to be used by their existing users only (as at March 2018).

Accredited Third Party Provider Accreditation Status & Caveats Accredited System(s) Systems Accreditation Date Partial Re-Accreditation Date Accreditation Expiry
Be Software Accreditation Extension* Insight, iignite 24/05/2016 - 01/12/2018
Hivetec Accreditation Extension* Bridge, Analytics 24/05/2016 - 01/12/2018
JobReady Accreditation Extension* Neptune 12/09/2016 - 01/12/2018
KV Interactive Accredited* JDE-MAX 18/01/2017 - 18/01/2019
MyWorkSearch Limited* ApTem 27/07/2016 - expired
SoNET Systems Accreditation Extension* iCase 03/11/2016 - 01/12/2018

*Refer to the Accreditation Status and Caveats section below for explanation of Status & Caveats.

Third Party IT Systems Accreditation

Third Party IT Systems that handle information, and/or data, that relates to Government programmes delivered by the Department, must gain and maintain accreditation with the Department prior to use by Providers and/or handling ANY data.

Third Party IT Providers who are unsure whether their systems require Accreditation are encouraged to contact the Security Compliance Support mailbox.

Providing the following information will allow us to determine whether a deed is required:

  • Outline of the system(s) and/or services that are offered / delivered.
  • The nature of how these systems are delivered, eg. Software as a Service (SaaS), Cloud Service, contracted outsourcing, etc.
  • How this system assists Contracted Service Providers to deliver Australian Government Programmes, and what programmes.
  • An overview of system design and access, eg. Basic architecture, datacentre location(s), access, authentication, admin staff location(s).
  • If the Third Party IT Systems are intended to inter-operate with the Departments system, directly or indirectly, then how?, e.g. daily bulk download and upload of data, real-time via ‘screen scraping’, real-time via API’s?
  • Any existing IT Security certification or accreditations.
  • The Contract Service Providers using, or considering your products, and the Australian Government Programmes they are used for eg. Jobactive, TTW, etc.

Accreditation Status & Caveats

Accredited

  • Systems (with functionality as at the Accreditation date, or as at the date of a listed ‘partial re-accreditation’) are accredited for use by Providers.
  • New customers for the systems (functions as at the Accreditation date) is permitted – it does require ‘evaluation’ by the Department to confirm the intended Programmes and system-functionality is covered by the Accreditation.

Accreditation - Extension

  • This Caveat indicates Systems that have had their ‘accreditation’ extended beyond the standard two-year period. Due to the review of the Third Party IT Systems Accreditation Framework, all Third Party Employment Systems, which were due re-accreditation before 1 December 2018, had their accreditation ‘extended’ until 1 December 2018. This was done to ensure continuity of use by existing Providers – as the new Third Party IT Systems Accreditation Framework is not expected to operational until the fourth quarter of 2018.
  • Existing Users - Systems are accredited for use by Providers (limited to functionality as at the time of accreditation).
  • New Users – new users and/or increased use of functionality in these systems will generally be unauthorised – pending new ‘accreditation’ framework being developed and requirements being met.

Accreditation - Provisional

  • This Caveat indicates that there is either an operational requirement, and/or a technical requirement, that is being actively addressed. Until the requirement is addressed, the expansion of use of the system will be restricted.
  • Existing Users - Systems are accredited for use by Providers (limited to functionality as at the time of accreditation).
  • New Users – new users and/or increased use of these systems, will generally be unauthorised – pending new ‘accreditation’ framework being developed and requirements being met.

Limited Accreditation

  • Systems (with functionality as at the time of accreditation) are accredited for use by Providers.
  • No new customers will be authorised until ‘limitation’ restrictions have been resolved and the caveat and status updated.