The National Disability Insurance Agency (NDIA) is publicly backing the security of its new PACE CRM platform, after a report raised “concerns" about the system and “serious concerns” with the agency’s information security generally.
The document - which had been sought under freedom of information (FoI) laws - is to be kept private after a mid-September ruling deemed it too sensitive for public airing.
It is said to include “significant detail” about NDIA’s ICT environment, “including detailed processes and specifics around types of controls NDIA has in place regarding validation of payment claims”, the ruling by the Administrative Appeals Tribunal (AAT) states.
The document also contains “sensitive detail regarding the development and implementation of PACE, including the foundational cyber security principles the agency has used to develop the network in which the PACE sits.”
In addition, it is said to have raised "some serious concerns about the security of the information and information systems employed by the NDIA."
PACE is a new customer relationship management (CRM) system based on Salesforce, which over time will replace a SAP-based CRM supplied by Services Australia.
Internal testing of PACE started in June last year, before progressing to external testing at the end of 2022. PACE is set to be deployed nationally from the end of October.
The AAT suggested that both PACE and NDIA’s ICT environment “may have changed” - for the better - since the document being sought had been prepared.
However, even with remediation of the concerns raised in the report, the Tribunal said it wasn’t prepared to risk a public release.
The AAT said the contents of the document, if released, “would damage public confidence in the scheme and of the NDIA more broadly.”
“As it is, there are many reports these days about information security, matters being ransomed by organised criminals, that to release such a report or make such a report available runs a substantial risk of damaging the public confidence in the operation of the NDIA,” wrote AAT deputy president Greg Melick.
“I cannot be satisfied that it would not increase the risk of a cyber attack on the NDIA systems.”
An NDIA spokesperson told iTnews that the agency “continues working to ensure our new computer system supports our staff and improves participants’ experience with the scheme.”
“The agency is confident in the security of the new ICT system,” the spokesperson said.
