Many Employment and Skills Service Providers (Providers) to the department engage Third Party IT Vendors (Vendors) in the delivery of their services. To help Providers effectively manage risks relating to the use of third-party systems, the department accredits Third Party Employment and Skills (TPES) Systems developed by Vendors, where:
- the Vendor’s solution stores, processes, and manages information that are used by Employment and/or Skills Service Providers in the delivery of Australian Government Employment and/or Skills programs; and
- the Vendor enters (or seeks to enter) into a Deed with the department for the provision of such services.
On this page:
Background
The department uses a network of contracted service Providers to deliver its programs. To support this, Providers access various departmental IT systems which also support programs administered by other Australian Government departments. Providers may choose to develop their own systems or use accredited TPES systems developed by Vendors. TPES systems may be a locally installed application or provided as Software as a Service (SaaS) solution.
Under the department’s Right Fit For Risk (RFFR) accreditation approach, the department requires Providers to document their ISMS in accordance with the requirements of ISO/IEC 27001, supplemented by the Australian Government Information Security Manual (ISM), as well as requirements specified in their Deed/s. Where Providers choose to utilise a TPES system to support their business, Providers must seek assurance that systems and services provided by the third party adequately reflect RFFR accreditation requirements.
Consistent with the RFFR approach, the department works with Vendors to accredit their TPES system(s) before those Vendors sign a Deed with the department. The department signs Deeds with such Vendors where it is reasonably expected that:
- the TPES system stores program participant data or related records where the Vendor manages the system and retains access (e.g. they retain database administrator role)
- a Provider has a Deed with any government department which stipulates the Provider is to only use TPES systems accredited by the department.
Accredited TPES systems
The department accredits TPES systems, not Vendors. The department does not recommend the use of any TPES system over another, it is the Provider’s responsibility to conduct their due diligence and make their own business and risk decisions accordingly.
TPES systems are accredited for specific functionality with authorisation boundaries applied based on the solution architecture at the time of assessment. Changes to the TPES system solution architecture with security implications may require reassessment by the department.
To assist Providers in understanding the TPES system accreditation scope and shared responsibilities, the department prepared accreditation reports for each accredited TPES system. The accredited TPES systems are outlined in the table below.
| Accredited TPES system | Vendor (in alphabetical order) | Accreditation Report |
|---|---|---|
| BuddyNote | Leading Directions | BuddyNote and Performance Reports Accreditation Report |
| EsherHouse Cortex | ReadyTech | Esher House Cortex Accreditation Report |
| Job Ready | ReadyTech | JobReady Accreditation Report |
| Ready Apprentice | ReadyTech | Ready Apprentice Accreditation Report |
| Ready Recruit | ReadyTech | Ready Recruit Accreditation Report |
| aXcelerate | Verner-Mackay Group | aXcelerate Accreditation Report |
For Providers – Using an accredited TPES system
Any Provider choosing to use a system or a cloud service provided by a third party has a responsibility to ensure the system or service is secure before using it to process, store or communicate data relating to the delivery of government programs. Providers wishing to use any third-party software or service must conduct their own risk assessment and ensure appropriate controls are in place before using the software or service.
The department’s RFFR accreditation signifies that a TPES system has met the requirements for protecting sensitive information. TPES accreditation is not a warranty that the TPES is fit for its intended use or for a Provider’s specific business processes and it does not include assessment of legal, financial, or insurance risks associated with the use of the TPES system. The assessment is not a privacy impact assessment; however privacy risks are considered in the context of cyber security controls to protect program participant information.
Before a Provider uses a TPES system, the Provider must:
- risk assess in accordance with the relevant TPES system accreditation report
- understand the scope of the TPES accreditation
- implement the controls and system configuration requirements specified as ‘customer responsibilities’, and
- identify risks associated with use of any unaccredited functionality and implement appropriate mitigation strategies.
Providers must obtain written approval from the department to use or change a TPES system.
For Vendors – Seeking RFFR Accreditation for a TPES system
TPES systems handling information or data relating to programs delivered by the department must gain and maintain accreditation prior to use by Providers.
Vendors who are unsure whether their systems require accreditation should contact the department at SecurityComplianceSupport@dewr.gov.au with the following information:
- an outline of the system and services offered
- a description of how the system will assist Providers to deliver programs, and which functionalities are proposed
- an overview of the system design and access, such as high-level architecture, data centre locations, access, authentication, administrative staff locations
- a description of interoperability with the department’s systems, such as daily bulk download and upload of data, real-time via APIs (Application Programming Interface)
- the scope of any existing IT security certifications or accreditations maintained
- the Providers considering your system.
Where Vendors are seeking RFFR accreditation for a TPES system, they should review the material provided on the department’s RFFR Accreditation page. The department has also made available Third Party IT Vendor Deed Guidelines, which forms part of the Deed and provides information for Vendors on their continuing obligations.