Policy

  1. Security risks can arise through the procurement of goods and services and effective risk management is required to reduce the likelihood and consequence of security issues or incidents.
  2. This policy supports the South Australian Government’s procurement requirements [1] which detail how agencies procure goods and services. The requirements of this policy seek to ensure security risk is a considered element in all procurement processes.

[1] The South Australian Procurement Framework consists of Treasurer's Instruction 18, the Procurement Governance Policy, and supporting policies that set the minimum requirements for each key procurement activity (planning, sourcing and contract management).The Framework is designed to empower public authorities to engage with industry, clients and communities to innovate and take balanced risks to pursue better outcomes.

Manage any security risks that arise from the procurement of goods and services

  1. To ensure any security risks that arise from the procurement of goods and services are managed, agencies [2] must:
    1. identify and mitigate security risks to the agency’s people, information and assets generated by the procurement
    2. ensure relevant security terms and conditions are included in contracts and service agreements that mange identified security risks to the procurement
    3. manage and monitor:
      1. security risks for changes or incidents that could affect the procurement, service agreement or security of the agency
      2. the performance of the contractor (including subcontractors) over the lifetime of the contract
    4. implement appropriate security arrangements to manage the completion or termination of a contract or agreement
[2] This policy applies to all South Australian public sector agencies (as defined in section 3(1) of the Public Sector Act 2009) and to any other person or organisation that is generally subject to the direction of a Minister of the Crown; all of which are referred to in this policy as “Agencies”.

Guidance

  1. The overall value of a procurement can be significantly reduced by negative security outcomes. Agencies remain responsible for identifying, managing and mitigating security risks when the provision of goods and services is outsourced.
  2. While an agency must manage any security risks, contractors play an important part in identifying, managing and mitigating those risks.
  3. The South Australian Governments procurement requirements mandate that risks to the procurement must be identified, managed and monitored. This policy mandates that protective security risks are specifically considered within that same process.
  4. If security risks identified in procurement processes cannot be mitigated to an acceptable level, or the risks to government or the agency are too great, agencies should seek alternate procurement arrangements and record any decisions to do so. This includes where a security risk cannot be quantified or is too complex to be calculated.

Understanding risks, threats or vulnerability to procurement

  1. If an agency does not understand or appreciate the risks associated with a procurement, they will not be able to identify appropriate risk treatments. For example, cloud technologies may seem more affordable and faster, however, specific contract clauses or operational controls might be required if that contractor stores information in a foreign country.
  2. Table 1 provides some examples of potential risks associated with procuring goods and services:

Table 1 – Potential risks associated with procurement

Risk typeRisk description
Insider threat
  • It is a known and effective tool to use people (including contractors) with access to an agency’s information or resources to obtain that information for purposes not in the interests of the agency, South Australian or the nation more broadly
  • Australia, and South Australia more specifically, is an attractive target for exploitation given its prominent role in the Asia-Pacific region, its strong diplomatic ties with other nations and its resource, energy, defence and cyber sectors particularly
  • Compromise of an agency’s information or resources could be used to gain economic, diplomatic or political advantage against South Australia or Australia (e.g. intellectual property, financial records, ICT system design). Personal information can also be used for malicious activities through social engineering
  • State-sponsored actors (e.g. foreign intelligence services) work on behalf of foreign government or entities to intentionally infiltrate, compromise, steal or manipulate information which can have a detrimental impact on state and national security and commercial sectors (e.g. resources, financial, telecommunications)
  • Technical capabilities are becoming more sophisticated and easier to use. The potential high gains to be made from targeting vulnerable sectors or systems may increase the risk of insider threat to agencies
Supply chain
  • Agencies may engage multiple contractors, or a contractor may engage multiple subcontractors as part of the supply chain. The more parties are subject to any procurement or service provision, the greater or more complex the risk becomes
  • It is recommended to:
    • consider the security risks of each contracted provider independently and holistically
    • reduce vulnerabilities and ensure security continuity to manage risks along the entire supply chain
Foreign involvement
  • Arrangements where resources are made or held outside of Australia (by the contractor or a subcontractor) may have additional risks. For example, services located offshore are subject to laws of those countries and may be subject to lawful and covert collection
Differences in legal and business cultures
  • Tolerance (legal and law enforcement effectiveness) and acceptance of corruption and crime can be vastly different in other countries
  • Foreign enterprises may be owned, influenced or funded by foreign governments
  • A lack of visibility into the contractor’s or services providers’ corporate structure, funding or use of non-reciprocating safe harbours
  • Extrajudicial behaviours of foreign governments may give rise to further risks that need consideration. The lack of the rule of law may lead to attempts to misappropriate information or assets (including by organised crime)
Multiple legal jurisdictions
  • Information or assets may be subject to the laws of multiple jurisdictions. This might occur when:
    • Foreign laws apply to a contractor due to it being located offshore (sometimes in multiple locations)
    • Foreign laws have extra-territorial application to a contractor located in Australia
    • Goods or services transit through a third-party foreign jurisdiction
  • Most foreign jurisdictions have legislative powers that allow access to assets, communications and stored information for purposes of law enforcement and national security. In some circumstances, international law enforcement or national security agencies can access information held overseas or in Australia
  • Contractors should provide assurances that any information they handle will align to the agency’s risk tolerances and be managed securely
  1. Agencies should consider and seek to identify security risks that could affect or be caused by:
    1. the state or national interest
    2. risks to critical infrastructure (agency-specific, South Australian and national critical infrastructure)
    3. risks to people transacting with the agency via a contractor (or subcontractor)
    4. the ability to maintain control of information or resources that are outsourced, offshore or supply chain arrangement with potentially changing legal frameworks
    5. foreign involvement
    6. insider threat
    7. South Australian Government agencies or other entities
    8. agency security plans

  1. Relevant security provisions and associated protections must be included in contracts or service agreements. The benefit of ensuring security terms and conditions are identified means they are legally enforceable.
  2. Agencies should do this by including terms and conditions in their procurement documents [3] relating to:
    1. imposing appropriate information, physical and personnel security requirements
    2. identified security risks relevant to the procurement
    3. ongoing management of security risks and any proposed risk treatments
  3. Table 2 outlines some of the recommended terms and conditions to be included.

Table 2 - Recommended terms and conditions

Security domainTerms and conditions
Governance

Governance arrangements include provision for agencies to:

  • amend (or terminate) a contract where issues of security concern arise (e.g. change of ownership to a non-approved entity, suspected or actual security breaches)
  • monitor ongoing contracts through all levels of subcontractors and supply chains
  • manage changes to the provision of goods or services
  • terminate the contract where the contractor fails or refuses to comply with the security terms and conditions, or mitigate security incidents

That require the primary contractor to:

  • notify of actual or suspected security incidents (particularly those involving security cleared personnel) and follow the directions of the agency in relation to investigations and outcomes (including other affected agencies or entities) (see the South Australian Protective Security Policy Framework (SAPSF) policy Security governance for more detail on reporting security incidents)
  • take reasonable steps to prevent, detect and respond to fraud and corruption
  • implement security measures to identify, manage, monitor and review security risks to the information or assets provided by the agency, including protecting them from compromise at all times
  • periodically review security measures under the contract to ensure the arrangements are current and address the risks, threat, vulnerabilities or criticalities
  • be responsible for managing and monitoring the protective security compliance of its subcontractors and supply chain arrangements, including regular security awareness training
Information
  • Information  handling controls and storage arrangements for sensitive and security classified information must be consistent with the requirements of the SAPSF
  • Contractors must   be able to demonstrate they are capable of handling or storing the agency’s information securely
  • Ensure   information assets remain the property of the South Australian Government,   (including being returned and/or deleted upon completion or termination of the contract) and must only be used for the purposes outlines in the contract
  • No service requiring access to official information, including security classified information, can be subcontracted without the approval of the agency
  • Address any legal rights that a third-party may have over the contractor that could allow access to the agency’s information
  • Ensure that the requirements of SACSF Ruling 2 Government information in outsourced and offshore ICT arrangements are applied when considering outsourced arrangements where government information may be stored or processed offshore
  • Ensure the contractor notifies the agency if they discover or suspect that sensitive or security classified information has been, or will be, transferred overseas   without approval from the agency in writing
  • Ensure  information removal from data centres where ownership of contractor is transferred to a foreign entity
  • Contractors must notify notify Cyber Security in the Office of the Chief Information Officer for actual or suspected cyber  threats or attacks as per PC042 – Cyber Security Incident Management

Office of the Chief Information Officer 

Department of the Premier and Cabinet

E: watchdesk@sa.gov.au

P: 1300 244 168

Personnel
  • Contracted personnel should meet the requirements of SAPSF policy Recruiting employees, including identity, eligibility and suitability requirements
  • Security clearance requirements must be applied to contractors as the agency would to its employees. The agency is responsible for managing any security clearance throughout the term of the contract
  • Any contractors without the correct security clearances must not be given unescorted access to areas where security classified information is handled or stored or access/administrator rights to systems which hold or process security classified information
  • It is recommended to have all contractors sign confidentiality or non-disclosure agreements if they will be accessing official government information
  • The contractor must seek written approval from the agency to share the agency’s information to any third parties
  • Provisions for revoking physical and ICT access when personnel from the contractor exit the company or role
  • Reminding departing personnel of their ongoing security obligations
Physical
  • Physical security measures must be consistent with the requirements of the SAPSF for all sites or locations where South Australian or Australian Government
  • Contractors must be able to demonstrate they have the appropriate physical protections to protect information, or assets holding information (including ICT assets)

[3] Such as requests for tender and subsequent contracts

  1. Good contract management includes oversight and review to ensure adherence to all essential security requirements and enable new or changing security risks to be identified.
  2. Agencies must monitor any contract for changes to the identified risks, threats, vulnerabilities or criticalities as well as the performance of the contractor in complying with the terms and conditions over the lifetime of the contract. Agencies should identify an appropriate contract manager to be responsible for managing and monitoring each contract.
  3. If an agency’s risks are subject to regular change (e.g. internal or external security environment changes), a flexible approach to contracts and their management may be required. As such it is recommended that agencies:
    1. develop positive working relationships with contractors based on open communication to help issues be resolved efficiently and effectively
    2. ensure contractors (including subcontractors) effectively communicate security risks to their employees and all relevant security terms and conditions of the contract that must be followed
    3. inspect any premises of the contractor (including subcontractors) prior to the contract commencing to verify that protective security measures have been applied to the standard required by the contract, and then reinspect periodically during the contract for any changes and overall compliance
    4. ensure all contractor personnel requirements have been achieved or obtained, such as:
      1. security clearances and clearance maintenance requirements
      2. legislative or policy requirements
      3. conflicts of interest
      4. confidentiality or non-disclosure agreements
    5. test and monitor (through site visits and audits) the contractor’s processes for handling and storing the agency’s information. Where required, seek access to vulnerability and risk assessments, business continuity plans and security threat advice that could affect the security of contract or information

  1. Security arrangements governing the completion or termination of contracts helps to prevent the compromise of official government information and damage to the agency. Agencies must put in place arrangements to securely manage the completion or termination of all contracts.
  2. It is recommended that at the completion of a contract, agencies:
    1. recover all information (electronic and hard-copy) and assets under the control of the contractor (or ensure the contractor maintains all security measures if for legal reasons the information or assets cannot be returned)
    2. require the contractor to delete all agency information on the contractors ICT systems [4]
    3. ensure sponsorship of any security clearances is removed and the authorised vetting agency notified (see SAPSF policy Employee separation for more details)
    4. obtain formal acknowledgement from contractors and their employees of their continuing obligations to maintain confidentiality.

[4] If security classified information (PROTECTED or above) was held, destruction must be as per the requirements of the South Australian Cyber Security Framework (PDF, 553.6 KB) or the Commonwealth Information Security Manual

Approved by: Chief Executive, Department of the Premier and CabinetDate of first approval: 20 April 2020
Revision number: 2.0Date of review: 30 November 2022
Next review date: December 2024
Division: Security and Emergency Management, Intergovernmental and Diplomatic Relations		contact: sapsf@sa.gov.au

Change  log

VersionDateChanges
1.020/04/2020First issue of policy
1.121/08/2020Definition of ‘personnel’ updated
1.22/11/2020Footnote 1 updated regarding the Procurement Policy Framework
2.030/11/2022

Table 2 – Recommended terms and conditions updated:

Reference to SACSF Ruling 2 regarding outsourcing and offshoring of ICT arrangement added