Outsourced IT providers to federal government agencies aren’t being measured on the extent to which they deliver services to expected cyber security standards, an audit has found.
The audit covering three agencies - the Australian Taxation Office (ATO), the Australian Federal Police (AFP) and the Department of Foreign Affairs and Trade (DFAT) - was published late on Wednesday. [pdf]
It examined three outsourced IT arrangements - one at each agency - and the extent to which these contracts - and the ensuing period of contract management after that - verified compliance with the Protective Security Policy Framework (PSPF) requirements on agencies, as well as the ACSC’s Information Security Manual (ISM) and the agencies’ own security policies.
The PSPF, in particular, covers the mandate on agencies to implement ‘Essential Eight’ cyber security controls to a certain standard.
“All selected contracts required contracted providers to adhere to the PSPF, ISM and entity internal policy requirements,” the auditor found.
“None of the entities [the agencies] had processes, performance measures and service level agreements related to managing non-compliance with PSPF, ISM and entity internal policy requirements.
“Further, none of the entities had processes for verifying the reliability of cyber security related performance information provided by contracted providers.”
Auditor-General Grant Hehir noted that reliance on outsourcers and contractors across government heightened the risk of security issues for agencies.
SLAs and KPIs for contracts tended to focus “on the management of services, such as maintenance activities and availability of systems.”
Hehir saw a need for specific metrics on security compliance to be baked into outsourcing contracts, so that performance could be verified on an ongoing basis.
“The specification of important security considerations should be documented in the contract and service level agreements,” the Auditor-General wrote.
“This ensures that the security considerations are verifiable and enforceable.”
The three agencies largely agreed to make changes to the way security requirements are assessed and written into outsourced IT contracts.