With some 48,000 contracts, worth an estimated A$14.8 billion, entered into by federal government departments annually, security procedures for dealing with contractors still require improvement, according to the Australian National Audit Office (ANAO).
In a recent report titled Managing Security Issues in Procurement and Contracting, the ANAO examined 44 contracts, including at least 20 related to IT, across four agencies to evaluate whether they were effectively managing security risks arising from the use of contractors.
The Australian Customs Service, Commonwealth Superannuation Administration, the Department of Finance and Administration, and the Department of Foreign Affairs and Trade were involved in the audit. The Attorney General’s Department, responsible for the administration of the Protective Security Manual (PSM) was also consulted.
The PSM is the main source of protective security policies, principles and responsibilities for Australian government agencies, and prescribes the “minimum protective security standards” for agencies to maintain, including protecting the official information it generates and receives.
The audit focused on two broad types of contracting arrangements: contracting of security functions; and contracting of any service or business function that may require contractors to access sensitive or security classified information.
Overall, the ANAO concluded that the audited agencies were effectively managing security risks during the procurement phase when contracting out security functions, or functions that may require contractors to access sensitive information, however, the audit identified scope to improve the management of security risks once contractors had been appointed.
Interestingly, of the four audited agencies, there was a record of one recent security breach involving a contract examined during the audit.
“While this suggests that contractors may have largely adhered to security requirements, the ANAO notes that security breaches are sometimes not reported,” according to the report. “In this regard, one of the audited agencies did not have a system to effectively monitor and report such incidents.”
With an estimated asset base of A$206 billion across the general government sector, contracting is an integral part of the way Australian government agencies conduct business.
Another area cited as lacking in security are training programs for new contractors.
Here agencies could have improved processes and practices to ensure appointed contractors attend security training; monitor contractors’ adherence to security requirements in contracts; and reassess security risks in contracts when circumstances changed substantially, or when contracts were extended significantly beyond their original life.
Without naming names, the report identified considerable variation between the agencies in the extent to which they adhered to the minimum requirements for the management of security risks in procurement and contracting.
“The ANAO assessed one of the agencies as meeting virtually all of these requirements, two agencies as meeting most of these requirements, but the remaining agency as meeting few of these minimum requirements,” according to the report.
Furthermore, despite the “reasonably comprehensive” coverage of security requirements in most of the contracts examined, about half of the contracts examined did not contain provisions for dealing with the risk of access to the agency’s information through a third party interest, or explicitly identify a breach of security requirements as a reason to terminate the contract.
In only seven of the contracts examined, agencies were systematically assessing security performance or measuring compliance with security requirements.
“Generally, the audited agencies indicated that security matters were only considered if, and when, matters arose,” according to the report. “Some of the contract managers interviewed suggested they relied on the agency’s broader security programs and policies to provide them assurance that security requirements were being complied with.
“Most of the contracts reviewed during the audit contained a clause(s) requiring the contractor to advise the agency of any security incidents. Three of the audited agencies had agency wide processes for identifying, reporting, recording and monitoring breaches of security and other security incidents. The fourth agency did not have a system for effectively capturing details of security incidents.”
To assist staff to manage security risks during procurement and contracting activities, the ANAO recommends that agencies include in protective security and procurement or contracting policy documents, information on the security risks of using contractors that is appropriate for their operations, and update model procurement and contract templates to fully reflect the requirements of the PSM.
The ANAO also recommends government agencies adopt a risk based approach to monitoring and evaluating the performance of contractors, including their adherence to security requirements.
The agencies’ responses to the findings were generally agreeable with one stating it will expand this tool to capture more pertinent information for assessing changes in security risks involved in the use of contractors.
Customs agreed with the recommendation, and stated: “Customs has appropriate procedures and processes in place that ensures a risk-based approach to monitoring and evaluating the performance of contractors.”
The Department of Finance stated it is reviewing and redeveloping security, procurement and contracting policy documentation and procurement and contracting templates.
The audit engaged Courage Partners Pty Ltd to assist with the conduct of audit fieldwork and the production of management reports at two of the audited agencies. The audit was conducted in accordance with the ANAO’s auditing standards and cost about A$270 000.