1. Purpose
This Guideline provides direction for third-party providers (third parties) on how to protect the confidentiality, integrity and availability of Department of Transport and Planning (DTP) information, and systems managed through third-party service arrangements, including offshore and cloud hosting services.
This Guideline defines the conditions required to maintain the security of DTP’s information, when it is shared with, or access is granted to third parties.
In this Guideline, “Third-Party” refers to third parties and their parties beyond third-party in a business relationship e.g. Nth-party, fourth-party, fifth party etc.
2. Scope
This Guideline applies to:
- all third parties, including organisations and external parties, who have access to DTP information. This includes all third-party executives, staff and sub-contractors who have access to DTP information, either directly or indirectly.
- all DTP information and systems, regardless of its format, and the protection of this information throughout its lifecycle, and the contract life cycle, across the domains of:
- information
- personnel
- Information and Communication Technology (ICT)
- physical security
Third parties must not perform an act or engage in a practice that contravenes the Victoria Protective Data Security Standards (VPDSS) in respect of public sector information which is collected, held, used, managed, disclosed or transferred during their official and contractual duties for DTP.
This Guideline defines the minimum-security requirements for third party services, including:
- hosted DTP information assets
- ICT systems
- Industry Automated Control Systems (IACS)
- Internet of Things (IoT)
- third-party facilities used by managed service providers
3. Information Management and Privacy
The following law, standards and principles govern how the Victorian public sector handles personal and health information, including when third parties are involved:
- Privacy and Data Protection Act 2014 (PDP Act)
- Health Records Act 2001 (HR Act)
- Victorian Protective Data Security Standards (VPDSS)
- Information Privacy Principles (IPPs)
- Health Privacy Principles (HPPs)
3.1. Privacy and Data Protection Act (PDP Act)
Third parties are obligated to protect personal information they handle on behalf of Victorian public sector organisations.
3.2. Victorian Protective Data Security Standards (VPDSS)
Third parties are obligated to adhere to specific security and privacy standards when handling Victorian public sector information.
3.2.1. VPDSS Standard 8
An organisation ensures that third parties securely collect, hold, manage, use, disclose or transfer public sector information.
3.2.2. VPDSS Standard 11 (E11.030)
The organisation conducts a security assessment for authorising systems to operate prior to transmitting, processing, or storing public sector information.
3.3. Information Privacy Principles (IPPs)
Third parties are obligated to comply with information privacy principles when handling Victorian public sector information.
3.3.1. IPP 4 – Data Security
Third parties are obligated to protect personal information they hold from misuse, loss and unauthorised access, modification, and disclosure.
3.3.2. IPP 9 – Transborder Data Flows 2019.B, 14 November 2019
Third parties are obligated to ensure that when personal information travels outside Victoria it remains subject to privacy protections.
4. Policy Element: Assessment and Selection of Third-Party Service Providers
4.1. Security Requirements
The following security requirements are part of the selection criteria when DTP selects third-party service providers.
4.1.1. Functional and Non-Functional Security Requirements
Functional security requirements define specific security behaviours a third-party’s system must have e.g. authentication and access control.
Non-functional security requirements, on the other hand, define how secure a third-party’s system should be e.g. its level of data protection.
Third-party security requirements are obtained from various sources, including:
- Victorian Protective Data Security Standards (VPDSS)
- Payment Card Industry Data Security Standards (PCI DSS)
4.1.2. Security Risk Assessment
A Security Risk Assessment (SRA) will be performed to identify and mitigate potential risks associated with engaging a third-party, prior to signing a contract.
SRAs may be undertaken:
- in parallel with other formal negotiations
- in consultation with applicable subject matter experts for systems and infrastructure containing Business Impact Level 2 (BIL 2) data and above, including personal information.
4.1.3. Other Security Requirements
Security requirements may be incorporated into the contract, where applicable. These requirements will be agreed to by third parties during the process of contract execution.
4.2. Security Provider Selection Requirements
DTP will select third-party providers in consideration with the following security criteria.
4.2.1. Lifecycle of Information
Third parties are obligated to store, access, use, transmit and dispose all DTP information which they acquire from DTP, in accordance with relevant laws and guidance, including:
- Privacy and Data Protection Act 2014
- Public Records Act 1973
- Health Records Act 2001
- Information Privacy Principles (IPP)
4.2.2. Certification and Compliance
Third parties that are required to store and or process DTP information must possess an independently assessed certification, such as:
- ISO 27001
- Systems and Organization Controls 2 (SOC 2) Type II
- ISO 27001 or SOC 2 Type II equivalent certification
Third parties are required to adhere to the VPDSS, even if VPDSS requirements become more stringent.
Third parties, that are government entities, need to demonstrate compliance with VPDSS requirements and provide attestation.
4.2.3. Business Impact Level
Business Impact Levels (BILs) assess the potential damage caused by compromising the confidentiality, integrity, or availability of information or systems. The higher the impact, the stronger the security measures must be.
Third party compliance and certification requirements are listed below:
Confidentiality BIL less than 2
Third parties demonstrate compliance with VPDSS requirements e.g. self-assessment
Confidentiality BIL 2
Third parties are certified by ISO 27001, SOC 2 Type II or equivalent certification e.g. interdependently assessed certifications/audits.
Confidentiality BIL 3 or greater
Third party InfoSec Registered Assessors Program (IRAP) assessment, or an agreed equivalent assessment, is satisfactory e.g. security controls have been implemented effectively and are operating as intended.
4.2.4. Cardholder Information
Third parties that store or transmit cardholder information are obligated to demonstrate, and provide evidence, that they have the capability to comply with PCI DSS requirements and provide an Attestation of Compliance (AoC).
4.2.5. Data Sovereignty & Offshore Hosting
Relevant data sovereignty and legal jurisdiction risks will be considered, including IPP 9 – Transborder Data Flows requirements.
Third-party storage location arrangements will be evaluated by DTP before any decision is made to proceed with a given service.
DTP must know where data will reside when considering using an offshore third-party provider, given that third-party providers could:
- store their client data in locations other than where their business is, or appears to be based
- be required to disclose data to local authorities independent of DTP authorisation
- move data without notice from location to location to accommodate operational issues e.g. load balancing
- re-sell the service to another third-party provider, further distancing the control of the data from the owner
DTP will only consider using third-party offshore hosting if a security assessment is completed, and the following conditions are met:
- information value is “Low” risk
- general data handling and security capabilities are deemed suitable
- local data protection regulations have controls that meet, or exceed, VPDSS requirements
- personal information handling complies with IPP 9 requirements
4.2.6. Data Beyond Borders
Data and computing environments must not be accessed, configured, or administered from outside Australian borders by third party providers, unless:
- a contractual arrangement exists between the third-party provider and DTP to do so, and
- if relevant, a risk analysis has been undertaken, which also considers privacy risk.
4.2.7. Risk Assessment
Third-party managed and maintained solutions are required to go through a security risk assessment.
5. Policy Element: Contractual Requirements
The following security provisions will be applicable to third-party providers.
5.1.1. Protection of Information
Third parties will be required to sign a “Contractual Agreement”, and may be required to sign additional documents, including:
- Memorandum of Understanding (MOUs)
- information sharing agreements
- non-disclosure and confidentiality agreements.
Third parties seeking access to DTP information will be required to protect the confidentiality of DTP information and sign an agreement, for instance:
- eServices Register Contract
- data sharing agreement
- confidentiality agreement
5.1.2. Security Roles and Responsibilities
Third party Individuals, and third-party roles, with security responsibility are required to be documented and formally agreed to by DTP.
5.1.3. Security Controls
Third parties entrusted with security controls associated with protection of information will be documented in a formal agreement or undertaking, where applicable.
5.1.4. Ownership of Data
DTP must retain ownership of its data in the agreement with third party providers.
5.1.5. Retrieval of Data
Third parties are required to provide a plan setting out how DTP will be able to retrieve DTP’s data in the event the third-party ceases operating and as required by law.
5.1.6. Documented Permission
Third parties are required to obtain DTP’s written approval, prior to:
- relocation of DTP’s data to another hosting service or cloud environment
- another third-party taking control over third party supplier
5.1.7. Right to Audit
DTP must retain the right to audit the third-party provider for compliance with security requirements in the contract.
Third parties that are engaged to manage sensitive DTP information must allow DTP, or a nominated provider, to conduct security audits, investigations or forensic analysis of third-party systems and associated facilities, technical controls, and personnel screening practices.
5.1.8. Disposal of Information
DTP information that is no longer required by third parties, under a statutory obligation, will be:
- returned to DTP
- securely deleted
Third parties will provide a certificate of destruction to DTP.
5.1.9. Credit Card Information
Third parties will be contractually obligated to implement and maintain PCI DSS requirements when handling credit card information.
5.1.10. Maintain Confidentiality
Third parties and their personnel, at the conclusion of the contract, are required to provided formal acknowledgement of their continuing obligation to maintain the confidentiality of DTP information.
5.1.11. Security Data Breach Notification
Third parties will be contractually obligated to notify DTP of any security incidents, or breaches, that impact DTP information within 72 hours of discovery.
5.1.12. Sub-Contracting/Fourth Party Risks
Third parties will be contractually obligated to notify, and obtain explicit approval from, DTP if they involve any sub-contractor to process, store or transmit DTP information.
Third parties will be accountable for ensuring that the DTP information is managed by the sub-contractor in accordance with this guideline.
Third party contracts will include a “Right to Audit” clause for sub-contractors that deal with DTP information.
6. Policy Element: Third Party Access Security
6.1.1. Personal Information Handling
Third parties are obligated to handle personal information in accordance with contractual obligations, relevant legislations, and Victorian privacy laws.
Third parties are obligated to take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification, or disclosure.
6.1.2. Approved Business Purposes
Third parties may only use the DTP network connection for approved business purposes.
Third party use of the DTP network connection for unapproved purposes is prohibited e.g. for personal use or gain.
6.1.3. Unauthorised Use or Modification
Any third-party misuse of access, or tampering with DTP provided hardware or software, will be addressed according to severity and may including criminal proceedings.
6.1.4. Termination of Contract
Upon termination of contract, for any reason, third parties will ensure that all information belonging to DTP is, at DTP’s direction, collected and returned to DTP or securely destroyed within an agreed period.
Subject to DTP’s direction, information that has been produced by third parties for DTP, which DTP does not already possess, shall be returned to DTP for recordkeeping under Public Record Office Victoria (PROV) requirements.
6.1.5. Employee Changes
Third parties will promptly inform DTP in writing of any relevant employee changes.
This includes the rotation and resignation of employees so that DTP can disable/remove their user accounts to secure its resources.
6.1.6. Maintaining Confidentiality
Third-party providers are solely responsible for ensuring that all usernames and passwords issued to them by DTP remain confidential and are not used by unauthorised individuals.
6.1.7. Approved Devices
Third parties must not transfer or store any DTP information to a third-party owned device except as approved by DTP.
6.1.8. Legal Compliance
Third parties and their employees, while on DTP premises, will be required to comply with all Australian Federal and State laws and regulations concerning safety, environmental and security operations.
6.1.9. Issued Identification
Third-party personnel will be required to carry DTP-issued identification with them when they are on DTP premises.
6.1.10. Unauthorised Access
Third parties that have direct, or indirect, access to DTP information must not copy, divulge, or distribute to any other party, with prior written approval from DTP.
6.1.11. Records Management
Third parties are required to comply with DTP’s policies regarding records management, proper use of information technology, portable storage devices, and treatment of DTP’s information.
6.1.12. Secure Devices & Information
Third parties agree to take any necessary steps to protect computing devices, and any DTP information contained within, or accessible via, the device, including by:
- complying with DTP training and instructions
- locking devices when not in use
- complying with DTP’s password standards
- safeguarding access credentials by not sharing them with anyone
- being aware of surroundings when using the device
- storing the device securely when not in use
6.1.13. Security Incident Response
Third parties must notify DTP immediately if they become aware of any actual and suspected security incidents, including compromise of their access credentials, and take all steps that may be required by DTP.
Refer to the New third party cyber incident notification process located on the official Victorian Government website.
6.1.14. Physical Access
Third parties are required to comply with all relevant DTP’s physical access controls, rules, and regulations while onsite.
Third party personnel requiring physical access to any DTP area deemed business critical, or sensitive, must be accompanied by a member of DTP staff or personnel responsible for maintaining that business area.
These areas may include communications rooms, server rooms or document storage facilities.
7. Non-compliance with this policy
Failure to comply with this guideline may result in the confidentiality, integrity and availability of DTP’s information, systems and technology platforms being exposed, breached, and leaked, which could lead to significant business impacts to DTP, including reputational damage and financial loss.
Non-compliance by a third party may result in a breach of contract.
8. References
| Title | |
|---|---|
| DTP policies | DTP Privacy Policy |
| Relevant legislation | Health Records Act 2001 (HR Act) |
| Other external resources | Information Privacy Principles Payment Card Industry Data Security Standards Systems and Organization Controls 2 Type II |
9. Definitions
| Term | Definition |
|---|---|
| eServices Register | A list of approved suppliers that the Victorian Government uses to buy IT goods and services. |
| eServices Register Contract | A standard contract used by the Victorian Government when procuring IT goods and services from suppliers listed on the eServices Register. |
| Industry Automated Control Systems (IACS) | IACS are essentially systems that use computers, software, and networks to control and automate industrial processes. |
| Internet of Things (IoT) | IoT refers to a vast network of physical objects, or "things" that are embedded with sensors, software, and other technologies that allow them to connect and exchange data with other devices and systems over the Internet. |
| Victorian Protective Data Security Standards (VPDSS) | These are 12 high level mandatory requirements to protect public sector information across all security areas including governance, information, personnel, Information Communications Technology (ICT) and physical security. |
10. Acronyms and Abbreviations
| Term | Definition |
|---|---|
| AoC | Attestation of Compliance |
| BIL | Business Impact Level |
| ICT | Information Communications Technology |
| IRAP | InfoSec Registered Assessors Program |
| PROV | Public Record Office Victoria |
| SRA | Security Risk Assessment |
Updated