Many employment and skills service providers (Providers) to the department engage Third Party IT Vendors (Vendors) in the delivery of their services. To help the Providers effectively manage risks relating to the use of third-party systems, the department accredits Third Party Employment and Skills (TPES) Systems developed by Third Party IT Vendors, where:
- the Vendor’s solution stores, processes, and manages information that are used by Employment and/or Skills Service Providers in the delivery of Australian Government Employment and/or Skills programs; and
- the Vendor enters (or seeks to enter) into a deed with the department for the provision of such services.
On this page:
The department uses a network of contracted service providers (Providers) to deliver its programs. To support this, Providers access various departmental IT systems which also support programs administered by other Australian Government departments. Providers may choose to develop their own systems or use accredited Third Party Employment and Skills (TPES) systems developed by Third Party IT Vendors (Vendors). TPES systems may be locally installed application software or provided as Software as a Service (SaaS) solutions.
Under the department’s Right Fit For Risk (RFFR) program, the department requires Providers to document their control environment in accordance with the requirements of ISO 27001, supplemented by the Australian Government Information Security Manual (ISM) and control requirements specified in their deed. This includes the design of the controls, the management system around those controls, and the implementation and operational effectiveness of the controls. Where Providers choose to utilise a TPES system to support their business, Providers must seek assurance that systems and services provided by the third party adequately reflect security control requirements.
Consistent with the RFFR approach, the department works with Vendors to accredit their TPES system(s) before those Vendors sign a deed with the department. The department signs deeds with such Vendors where it is reasonably expected that:
- the TPES system stores program participant data or related records where the Vendor manages the system and retains access (e.g. they retain database administrator role)
- a Provider has a deed with any government department which stipulates the Provider is to only use TPES systems accredited by the department.
Accredited TPES systems
The department accredits TPES system, not Vendors. The department does not recommend the use of any TPES system over another. It is the Provider’s responsibility to risk assess and make their own business decisions accordingly.
TPES systems are accredited for specific employment and skills programs with authorisation boundaries applied based on the solution architecture at the time of assessment. Changes to the TPES system solution architecture with security implications may require reassessment by the department.
To assist Providers understand the TPES system accreditation scope and shared responsibilities, the department prepared accreditation report for each accredited TPES system. The accredited TPES systems are outlined in the table below.
|Accredited TPES system||Vendor (in alphabetical order)||Accreditation Report|
|Learning Management System (LMS)||Alffie (Training Online Australia)||LMS Accreditation Report|
|Bridge||Bridge SAAS (JN Solutions Australia)||Bridge Accreditation Report|
|BuddyNote||Leading Directions||BuddyNote and Performance Reports Accreditation Report|
|Performance Reports||Leading Directions||BuddyNote and Performance Reports Accreditation Report|
|EsherHouse Cortex||ReadyTech||Esher House Cortex Accreditation Report|
|Job Ready||ReadyTech||JobReady Accreditation Report|
|Ready Apprentice||ReadyTech||Ready Apprentice Accreditation Report|
|Ready Recruit||ReadyTech||Ready Recruit Accreditation Report|
|aXcelerate||Verner-Mackay Group||aXcelerate Accreditation Report|
For Providers – Using an accredited TPES system
Any Provider choosing to use a system or a cloud service provided by a third party has a responsibility to ensure the system or service is secure before using it to process, store or communicate data relating to the delivery of Government programs. Providers wishing to use any third-party software or service must conduct their own risk assessment and ensure appropriate controls are in place before using the software or service.
The Department’s Right Fit For Risk (RFFR) Accreditation signifies that a TPES system has met the requirements for protecting sensitive information. TPES accreditation is not a warranty that the TPES is fit for its intended use or for a Provider’s specific business processes. It does not include assessment of legal, financial, or insurance risks associated with the use of the TPES system. The assessment is not a privacy impact assessment; however privacy risks are considered in the context of cyber security controls to protect program participant information.
Before a Provider uses a TPES system, the Provider must:
- risk assess in accordance with the relevant TPES system accreditation report.
- understand the scope of the TPES accreditation,
- implement the controls and system configuration requirements specified as ‘customer responsibilities’, and
- identify risks associated with use of any unaccredited functionality and implement appropriate mitigation strategies.
Providers must obtain written approval from the department to use or change a TPES system.
For Vendors – Seeking RFFR accreditation for a TPES system
TPES systems handling information or data relating to programs delivered by the department must gain and maintain accreditation prior to use by our Providers.
Vendors who are unsure whether their systems require accreditation should contact the Digital Partnership Office through the Security Compliance Support mailbox with the following information:
- an outline of the system and services offered
- a description of how the system will assist Providers to deliver our programs, and which programs are proposed
- an overview of the system design and access, such as high-level architecture, data centre locations, access, authentication, administrative staff locations
- a description of interoperability with the department’s systems, such as daily bulk download and upload of data, real-time via APIs (Application Programming Interface)
- the scope of any existing IT security certifications or accreditations maintained
- the Providers considering your system.
Where Vendors are seeking RFFR accreditation for a TPES system, they should review the material provided on the department’s RFFR Accreditation page. TPES systems are classified as Category One. The department has also made available Third Party IT Vendor Deed Guidelines. The Guidelines form part of the Deed and provides information for Vendors on their continuing obligations.