The Office of the Victorian Information Commissioner (OVIC) has released an audit report calling on organisations in the Victorian public sector (VPS) to ensure they protect public sector information when it is being handled by third-parties on their behalf.
The Commissioner, Sven Bluemmel said this included managing information security risks before, during, and after engaging third-parties.
Mr Bluemmel said Section 8 of the Victorian Protective Data Security Standards required VPS organisations to ensure that any third-parties they engaged collected, managed, disclosed or transferred public sector information in a secure way.
He said OVIC’s Deputy Commissioner for Privacy and Data Protection, Rachel Dixon conducted the audit which examined the work of the Department of Environment, Land, Water and Planning (DELWP), the Department of Jobs, Precincts and Regions (DJPR), the Transport Accident Commission (TAC), and Victorian WorkCover Authority (WorkSafe).
“While none of the organisations were considered ‘effective’ across all four audit criteria, there was a wide range of practices and procedures at varying levels of sophistication,” Mr Bluemmel said.
He said the Report highlighted some of the good practices and key learnings uncovered during the audit.
“The audit results suggest that there are many opportunities for strengthening management of information security risks across the public sector, right across the life of a third-party engagement,” he said.
“This includes assessing the security risks of entering third-party arrangements; identifying and responding to changes to risk through the life of an engagement; taking active assurance measures to ensure third-parties are meeting their security obligations rather than relying only on contractual clauses; and protecting information at the conclusion of a third-party engagement.”
He thanked the four audited entities for their involvement in, and constructive approach to, the audit.
“The audit process has helped them to reflect on their practices and will provide sound guidance to other public sector organisations,” Mr Bluemmel said.
OVIC made six recommendations in total, two to TAC to implement a process for ensuring its monitoring and assurance activities were performed in accordance with the level of risk, and an assurance mechanism that factored in the risk rating of third-party arrangements.
One recommendation was made to WorkSafe to implement clear policy and guidance material with respect to assessing security risks of entering an engagement with a third-party.
A further two recommendations were made to DELWP, to implement policy and procedure documents that addressed all types of information security incidents, and to implement its proposed draft process for protecting information at the conclusion of a third-party arrangement.
The final recommendation was made to DPRJ, to engage an appropriately qualified consultant to review its practices and procedures for managing security risks when sharing information with third-parties and provide recommendations for improvement.
OVIC’s 24-page Report can be accessed at this PS News link.
