About this policy
Vendors engaged, or seeking to be engaged by Austrade must agree to be assessed against this policy as part of Austrade’s assessment program. Both the vendors, vendor third party suppliers, and Austrade should work collaboratively and in good faith to address any security concerns and risks identified in the assessment process.
Principles
The following principles are fundamental to ensuring procurement with vendors and their third parties support Austrade’s requirements for the security of its data:
- Austrade information and data or the information and data of other Government agencies that is controlled by Austrade shall be protected in accordance with applicable laws and Australian Government directives.
- Austrade assesses the risks associated with the use of vendors and their third party suppliers and mitigates these risks where possible
- Formal agreements shall be used to manage all vendor arrangements
- Responsibility for protecting Austrade information ultimately resides with Austrade
- Vendor management includes the management of the vendor’s third party suppliers where relevant.
Scope
This Vendor and Third Party Security Policy applies to supplier-side arrangements only i.e. to arrangements in which Austrade:
- partners with vendors in the delivery of its activities; or
- purchases products or services from the vendor; or
- permits vendors to process, store, collect or transfer Austrade information data or the data of other government Agencies that is controlled by Austrade; or
- permits vendors to access ICT infrastructure, data or applications hosted or managed by Austrade; or
- outsources the operation, development or management of ICT infrastructure, data or applications to external hosting/outsourcing suppliers.
This policy applies to third party suppliers to vendors where:
- that third party supplier provides services or has access to systems that process, store or communicate Austrade information; or
- where that third party supplier provides services that are critical to the delivery of the vendor’s services to Austrade.
These may include external hosting/outsourcing organisations, outsourced applications development, and process outsourcing service suppliers.
Exceptions to this policy
All vendors and their relevant third parties are expected to comply with the requirements detailed below. Where a vendor or their third party cannot comply with the requirements as detailed, an exception is required. Exceptions must be approved in line with Austrade’s risk appetite statement and delegations schedule as follows:
For non-technology related vendors and services:
- Exceptions where the risk created by the exception sits within Austrade’s risk appetite can be approved by Austrade’s Chief Security Officer
- Exceptions where the risk created by the exception sits outside of Austrade’s risk appetite can only be approved by the Accountable Authority (the Chief Executive Officer).
For technology related vendors and services:
- Exceptions where the risk created by the exception sits within Austrade’s risk appetite can be approved by Austrade’s Chief Information Security Officer (the Head of ITS)
- Exceptions where the risk created by the exception sits outside of Austrade’s risk appetite can only be approved by the Accountable Authority (the Chief Executive Officer).
Vendor security requirements
These requirements apply to all vendors engaged by Austrade. After a vendor is selected, these requirements become terms in Austrade’s contract with the vendor.
Security governance
- The vendor will agree to be assessed for the purposes of ensuring compliance with this policy, and will permit Austrade to audit the vendor’s systems and/or security processes as necessary to ensure delivery complies with Austrade’s data security requirements.
- The vendor will agree to implement risk treatments identified by Austrade as part of the assessment, will agree to these mitigations being included in contracts where relevant.
- The vendor will report any security breach or vulnerability that impacts Austrade’s information or data to Austrade within 24 hours of identification. Such notifications should be addressed to security@austrade.gov.au or cyber.security@austrade.gov.au unless another notification process has been accepted by Austrade.
- The vendor will assist Austrade with conducting lessons learned exercises about an incident or breach, and where agreed by both Austrade and the vendor, share this information with other third parties to prevent re-occurrence.
- The vendor agrees to allow Austrade to audit the vendor with relation to vendor security processes.
- The vendor will agree that changes to the nature of the engagement and/or agreement that pose an unacceptable level of security risk must be prevented, or must allow for reassessment of the arrangement with the potential for the agreement to be terminated.
- The vendor agrees to provide Austrade with full access to intellectual property developed on its behalf as part of the agreement. The vendor will provide copies of intellectual property in editable, controllable formats, for example by providing full source code for technical implementations.
Security ownership and control
- Prior to execution of the agreement, and when requested by Austrade during the agreement, the vendor will provide a summary of the corporate structure and details on ownership for your organisation. As relevant, the usual location and citizenship of individuals ultimately responsible for the ownership or day-to-day management of the organisation e.g. the Owner or CEO.
- Prior to execution of the agreement, and when requested by Austrade during the agreement, the vendor will provide a summary of operation history for your organisation. How long has the organisation been in business, where was it founded, where is the company headquartered, and where does it operate?
- Prior to execution of the agreement, and when requested by Austrade during the agreement, the vendor will provide details on any bankruptcies or voluntary or non-voluntary administration your organisation has experienced.
- Prior to execution of the agreement, and when requested by Austrade during the agreement, the vendor will provide details on any political connections the vendor or management staff of the vendor have to any country.
Security supply chain
- Prior to execution of the agreement, and when requested by Austrade during the agreement, the vendor will provide details on the vendor’s third-party suppliers (suppliers that provide products or services to the vendor) where those suppliers or supplier systems will process, store, communicate, or have access to Austrade’s information or data.
- Prior to execution of the agreement, and when requested by Austrade during the agreement, the vendor will provide details on the vendor’s third-party suppliers (suppliers that provide services to the vendor) where those suppliers experiencing a critical business failure would impact your delivery of services to Austrade.
Security disclosure
The vendor is required to disclose if:
- Any Austrade data will be stored, processed, or communicated outside of Australia by the vendor or the vendor’s third party suppliers. If so, please list the countries and what Austrade data related to this engagement will be handled in them.
- Any Austrade data will be stored, processed, communicated, or accessed by one of the vendor’s third party suppliers. If so, please list the parties.
- Access to the vendor’s systems (including email) where Austrade data is housed will not be protected by Multi-Factor Authentication.
- The vendor intends to store, process or transfer Austrade data, related to this engagement or otherwise, in another third party system that is not fully owned, operated and managed by your organisation. If so, please list the systems. E.g. you propose to use file sharing service x, online email service y, or collect data using system z. For each system confirm if the system and data is hosted in accordance with the Australian Government’s Digital Transformation Agency Hosting Certification Framework (HCF).
- The vendor’s systems are not covered by the Australian Government’s Australian Protective Security Policy Framework (PSPF) and Australian Government’s Australian Signals Directorate’s (ASD) Information Security Manual.
- The vendor changes ownership (e.g. is purchased by new owners).
- The vendor does not have a formal business continuity plan so you can continue to provide services to Austrade in the event of a disruption. Please outline if there is a plan to develop one or explain how you will ensure operational continuity during a major disruption.
- The vendor does not have an annual internal or independent audit covering your security program. Please list how regularly this does occur and when it is next planned.
- The vendor does not provide annual cyber awareness training to your staff. Please confirm how you will ensure your staff working with Austrade data will be briefed on cyber risk.
- The vendor staff on-boarding process does not include a criminal record check. Please confirm how you will ensure your staff working with Austrade data will be covered by a criminal record check.
System or platform cyber security requirements
These additional requirements apply alongside those above to vendors engaged by Austrade to deliver technology related solutions. After a vendor is selected, these requirements, along with the requirements above, become terms in Austrade’s contract with the vendor
Security governance
- The solution will be capable of meeting the relevant requirements for appropriate controls to protect people, information and assets found in the Australian Government’s Australian Protective Security Policy Framework (PSPF).
- The solution will be capable of supporting the Australian Government’s Australian Signals Directorate’s (ASD) Information Security Manual requirements including the ability to implement and monitor the Essential 8 strategies to mitigate against cyber security attacks.
- The solution will have an information security assessment conducted by an assessor certified by the Australian Signals Directorate’s Infosec Registered Assessors Program (an IRAP assessment) in the last 24 months where required by the PSPF.
- The solution’s security assessment by Australian Signals Directorate’s Infosec Registered Assessors Program assessor will be renewed every 24 months.
- The vendor agrees to make any information security assessment conducted by an assessor certified by the Australian Signals Directorate’s Infosec Registered Assessors Program relating to the solution available to Austrade.
- The vendor agrees to allow Austrade to audit the vendor with relation to system or platform security processes.
- The vendor will, by agreement, allow Austrade to conduct or require the vendor to conduct security testing such as vulnerability scanning and penetration testing for the solution.
- The vendor agrees to make architecture of systems developed on behalf of Austrade available to Austrade, including architecture diagrams and detailed descriptions including any related components.
- The vendor will provide a shared responsibility model that details who is responsible for each aspect of the operation of the service, including any relevant third party suppliers.
Security hosting
- Austrade data will be processed, stored and communicated in Australia.
- Austrade data will be hosted using certified services and associated infrastructure by applying the Australian Government’s Digital Transformation Agency Hosting Certification Framework (HCF).
- The vendor will support file exchange of sensitive data between the vendor and Austrade or any third parties by encrypted transfer methods if required.
- All data stored in the solution, including user personal information and comments, will be treated as the property of the Austrade and cannot be shared by the service provider with anyone without prior consent from Austrade
- The vendor agrees to commit to meeting defined availability requirements to be defined in the contract.
Security access
- Austrade will retain ownership of the access controls to systems, infrastructure, and platforms it procures from third parties
- Security controls applied by the vendor will be effective equally across all access platforms e.g. on desktop computer and on mobile device.
- Security controls applied by the vendor will be effective equally across all access or account types e.g. external user, Austrade user, and vendor administrator.
- The solution will support secure access including Multi Factor Authentication for external users.
- The solution will support secure access including Multi Factor Authentication for Austrade users.
- The solution will support secure access including Multi Factor Authentication for vendor users including administrators.
- The solution will enable separation of data by 'functional area', team or individual to restrict access to sensitive information, and meet privacy and 'need to know' requirements.
Security patching
- Patches, updates or other mitigations for vulnerabilities affecting systems, tools or platforms handling Austrade information will be applied within 48 hours of release when assessed as critical by the vendors, or within two weeks of release when assessed as non-critical by vendors if no working exploits exist.
Security legislation
- The service provider will allow for the ability to dispose of application form data at the termination of the contract and must comply with the Records Disposal Act.
- The solution will be capable of meeting Freedom of Information (FOI) requirements for Australian Government Agencies.
- The solution will be capable of meeting the Archives Act 1983 for handling of records.
- The solution will comply with the Australian Privacy Principles and Notifiable Data Breaches.
- The solution will comply with the General Data Protection Regulation (GDPR).
Security certificates
- The solution's SSL certificate will be purchased and installed from a trusted third-party certificate authority - SSL certificate 265-bit encryption (with 40 bit minimum) that supports RSA and DSA encryption algorithms.
Assessment
To ensure the application of these requirements, Austrade conducts security and cyber security assessments for vendor and vendor third party engagements and/or systems and platforms where required.
This assessment helps Austrade to evaluate the security certifications and controls a vendor and related vendor third parties solution has in place. It also gives visibility on how Austrade will use the offering, what data will be stored in it, and an understanding of what additional controls may need to be enacted to ensure our data is secure.
The assessment is conducted in accordance with the requirements and considerations detailed in this policy.
For technical systems and platforms, at the conclusion of this assessment, a Security Risk Management Plan (SRMP) is created to detail identified risks and required mitigations. The SRMP must be approved by the Chief Information Security Officer (Head of ITS) or another approved delegate before the system or platform can be used.
Terms used in this policy
Austrade data or Austrade information
Data and information that is created by, owned by, or controlled by Austrade. This includes data owned by other agencies that is controlled by Austrade.
Sensitive data
Sensitive data is any data that if compromised can be considered to cause damage to an individual, organisation, the Australian Trade and investment Commission, the Australian Federal Government, or any other Australian government entities.
The solution
‘The solution’ is general language used to refer to any system, platform, service or application that will process, store, communicate or transform Austrade data or Austrade Information as a part of the engagement.