Meeting the jobactive security compliance requirements
Hivint has been involved with the jobactive program since early 2015, initially undertaking the required IRAP assessment for one of the approved third party IT providers, and since then working with many different jobactive providers to help guide them through the process towards achieving security accreditation.
This post provides an overview of the compliance requirements of the program, as well as suggested steps and considerations for any entity currently planning or pursuing compliance.
About the program
The Australian Government’s jobactive program, directed by the Department of Employment (‘the Department’) is an Australian-wide initiative aimed at getting more Australians working. Through the program, jobseekers are both aided in getting prepared for work (or back to work) and being connected with employers through a network of Employment Services Providers (‘providers’).
Under the program all providers are required to be accredited by the Department as being able to deliver — and continue to deliver — services in a manner that meet various conditions. One condition (defined in item 32 in the jobactive deed) relates to the protection of data entrusted to the provider by the Department in order to deliver these services; effectively extending many of the Australian Government security requirements that apply to the Department through to these providers.
The data security requirements that all providers — as well as third parties hosting jobactive data on behalf of providers — are required to meet have been drawn from two Australian Government publications and one law regarding the protection of information. The publications defining the security control requirements against which providers are required to be compliant with, as well as the number of controls drawn from each include:
- Privacy Act 1988 (Privacy Act) — 1 control
- Protective Security Policy Framework (PSPF) — 36 controls
- Information Security Manual (ISM) — 372 controls
jobactive Statements of Applicability
Rather than taking a big bang all or nothing approach — where providers are required to be compliant with all controls by a specific date — the Department has introduced a graduated approach to achieving compliance. This has been developed through the definition of three individual compliance stages defined within the jobactive Statements of Applicability (SoA), with the requirement for compliance phased across an approximate three-year period.
The perceived intent here is to start providers off with the need to establish a baseline security capability that is then matured with more advanced and complex controls over time. The overall timeframe for compliance, and number of controls in each stage and SoA include:
The below graph shows the breakdown of these SoAs as drawn from the three input documents. What is evident from the graph below is that SoA 1 covers a broad set of controls across most of the ISM security domains and the Privacy Act, providing a general security baseline for providers.
Progressing through the program (SoA2 through to SoA3) security becomes more focused in specific domains and extended to include more advanced and complex technical controls within the framework.
It’s easy to see that the lion’s share of the requirements have been drawn from the ISM, which reflects the Department’s focus on information security through cyber-security.
The Department has leveraged the existing register of security professionals already authorised to complete formal assessments of systems against the ISM for certification and accreditation by government bodies. The Information Security Registered Assessor Program (IRAP) list of assessors is maintained by the Australian Signals Directorate (ASD), the same body that is responsible for the ISM.
The Department has given providers the option to undertake a self-assessment for the first compliance assessment, but require formal assessments by IRAP assessors for stages 2 & 3. These assessments include:
- The first assessment is considered a self-assessment, whereby providers completed their own against the controls defined in SoA 1, and report findings to the Department for review.
- The second assessment is required to be completed by an IRAP assessor, with assessment coverage of controls defined in both SoA 1 and SoA 2.
- The third assessment is also required to be completed by an IRAP assessor, and so long as the risk profile or environment hosting jobactive data hasn’t significantly changed, the assessment may be completed against the controls in SoA 3 only (we recommend validating this position with the IRAP assessor and Department prior to conducting this assessment).
- From this point, the provider is required to undergo assessment no less than every three years — potentially sooner if the Department requests a new assessment based on factors such as a change in governance arrangements, changing cyber threats or other factors that change the IT security landscape for the provider.
Where to start
Achieving a level of compliance, acceptable to the Department against the full set of security controls reflected across the SoAs can be a daunting task for many providers. We’ve worked with a variety of providers, from small, single office not-for-profits, through to large Australian wide commercial providers and each has needed to invest considerable time and effort to achieve the target compliance posture.
However regardless of the size, scope and overall security maturity of the provider that we’ve worked with, the general approach that we’ve successfully employed with each has the same main principles and phases, being:
- Phase 1 — Scope Definition, Reduction and Validation
- Phase 2 — Risk and Control Definition
- Phase 3 — Control Implementation & Refinement
- Phase 4 — SoA 1 and 2 Assessment
- Phase 5 — Control Implementation & Refinement
- Phase 6 — SoA 3 Assessment
A high level overview of the first two phases is provided below.
Phase 1 — Scope Definition, Reduction and Validation
This is a crucial first step that is often overlooked by providers. We strongly believe that proper planning greatly increases your likelihood of an overall successful initiative, both financially and operationally; reducing the likelihood of unnecessary and wasteful investment, and clearly establishing the bounds for compliance. We recommend that providers undertake each of the following, and whilst not mandated, having an IRAP assessor engaged to assist through the process can also speed this activity up, and improve the outcomes considerably.
1. Establish your scope. It’s often not clear exactly what data is subject to the Department’s requirements (Is it only data retrieved from Employment systems? What about data provided directly from jobseekers? Data that is obtained from other providers? And so on…). Knowing what’s in scope and what isn’t can help ensure that you can focus your compliance efforts appropriately. We recommend that providers:
- Identify jobseeker information coming into the organisation. Document the Employment provided systems where you retrieve or access jobseeker information, the method that you obtain it as well as the type of information that you retrieve.
- Identify where you build on this information. Document instances where you build on this information through other sources- e.g. jobseeker provided information, and again, capture the type and method of information that you obtain.
- Identify who you share this information with. Document instances where you share information with third parties in support of jobseeker services.
- Define your business process. Capture the above processes together as a set of workflows, outlining the relevant actors, information types and actions performed.
- Overlay these processes across your environment. Overlay these processes across your physical, personnel and IT environments — including those hosted by third parties, such as Department accredited entities, ASD certified providers, or any other entity (don’t forget to include support processes such as offsite backups, or remote connections from IT service providers into your environment).
2. Validate your scope. Engage with the Department’s Security Compliance team to discuss what you have established, and seek input as to whether you are able to remove certain entities, information types and processes from your scope. The Department may also be able to assist by providing upfront guidance on critical / high-risk issues with your practices (e.g. storing jobactive data offshore by a non-approved provider)
3. Define a plan to reduce your scope. This is an optional activity whereby a provider may wish to reduce or otherwise change their scope to reduce the compliance exposure. Some entities have taken the path to apply the controls to their entire business (as they are seen as good practice security controls — regardless of the data types that they are protecting), and other have reduced their scope by changing or consolidating systems and business processes utilising jobactive data.
4. Review the SoAs and remove controls that don’t apply. The SoAs contain a combined 409 security controls, however not all apply to all providers. So rather than investing in unnecessary compliance expenditure, documenting controls that the provider considers are out of scope, and including justification for them can save a lot of effort. For example:
5. Validate your scope. Following any documented proposal to reduce your environment scope and / or remove controls from the SoA, validation with the Department and / or your IRAP assessor is critical. Only once the revised scope has been validated should you implement the changes.
Phase 2 — Risk and Control Definition
Once the scope has been established providers are in a position to define and implement controls to meet the Department’s security compliance requirements.
Our immediate recommended next step is for providers to formally assess their security risk posture, and then begin to establish key overarching security artefacts that will govern their security controls.
- Document the Security Risk Management Plan (SRMP) — this document captures the various security risks to jobactive data within the providers scoped environment, as well as the controls in place and planned to be in place to mitigate these risks to an acceptable level.
- Define the System Security Plan — this document is derived from the SRMP, the environment scope, and the Department’s SoAs and describes the implementation and operation of security controls for the system.
- Define the security documentation framework — various documents which collectively detail the provider’s security controls. This typically comprises security policies, standards, plans and procedures.
We recognise that many providers have not previously needed to establish the majority of the above, and we suggest that you refer to the ISM Controls Manual for further detail describing each of the required documentation artefacts, or alternatively get in touch with an IRAP assessor to assist.
Phase 3 and Beyond
From this point, providers should be well positioned to implement the various controls defined, and then progress towards the required SoA 1 self-assessment, and subsequent IRAP assessments.
At this stage, providers may also wish to undertake a compliance gap assessment against the controls across the SoAs to help identify the overall compliance posture, and inform the prioritisation, as well as overall resourcing and investment in the compliance initiative.
Maintaining an IRAP Assessor (or alternatively, an individual with previous experience in adopting the ISM control framework) in an advisory capacity throughout this process* can also help in ensuring that the provider stays on track through the process.
Need a Hand?
Hivint maintains a team of IRAP Assessors and security consultants across Australia with extensive experience in Federal Government security requirements and the development and application of ISM security control frameworks and compliance strategies.
If you have any questions regarding the Department’s security compliance requirements, or if you may need a hand in working out where to start (or how to progress), please get in touch with us here.
Case Study by Aaron Doggett, Regional Director, Hivint
* To remove any potential conflict of interest, the IRAP Assessor engaged to perform the formal assessments must not also operate in an advisory / consulting capability to the provider.