vic_logo
buyingfor.vic.gov.au

Information security - goods and services procurement guide

Find out how to manage information security when buying and managing contracts for goods and services.

What is information security?

Information security protects unauthorised access to information by identifying and managing the risks. The term cyber security refers to the protection against cyber threats. It is the process, techniques and risk management approaches involved to protect:

  • sensitive information
  • computer systems
  • networks
  • software applications

Cyber security provides protection from unauthorised access or attacks that are aimed at exploitation.  

Why is information security important during procurement?

The aim of information security is to support service delivery and business outcomes by:

  • preventing unauthorised access
  • preventing interference to information

The government stores information on devices and internal and external servers (e.g. the cloud). This data is transmitted across government and commercial networks. Unauthorised access or interference to the government’s information can create negative consequences. Consequences can include:

  • compromise of service delivery and business continuity
  • corruption and fraud
  • exposure of classified, private and/or sensitive data 
  • reputational damage
  • significant financial cost
  • foreign interference 

What are the risks to information security?

Buying goods and services can create information security risks to government. These risks are mostly in Information and Communication Technologies (ICT) and the physical access to our work areas. Examples where information security risks could be missed include: 

  • where a supplier is provided with access to government systems to provide a consultancy
  • where non-ICT goods contain embedded chips that could be manipulated to provide unauthorised data

Broadly, information security risk may occur in:

  • the system being purchased (comprising goods and/or services)
  • the supply chain (the supplier and their subcontractors or suppliers)
  • integration of the system into existing ICT networks
  • use, both digital and physical
  • disposal 

Let’s now look at each of these in turn.

System risk

Commercial systems may not have been developed with information security requirements in mind. They may rely on customers having other systems to provide security, which customer agencies may not have or want to buy. 

It is best that the system you are buying is “secure by design”. 

Secure by design is a methodology which aims to ensure ICT systems and solutions are designed from the foundation to be secure. The key benefits of buying ICT systems through a secure by design approach include:

  • enhanced capacity to meet business need
  • capacity to influence ICT risk throughout the entire life cycle, including cyber security threats
  • known vulnerabilities are not introduced
  • reduced cost to secure systems
  • reduced ongoing costs to treat inbuilt vulnerabilities

A secure by design approach reduces the need to fix vulnerabilities in the system. Putting in place processes to manage design vulnerabilities is not as effective or reliable as secure by design. 

Supply chain risk

Information security risk in supply chains comes from suppliers, subcontractors, and their other sources of supply. The suppliers and their supply chains responding to tenders may risk: 

  • unauthorised information disclosure
  • service disruption
  • negative impact on performance

Integration risk

When bringing a new system into a network, think about the information security risk. The new system and/or contractor may be able to access government information and other systems. 

The risk may not only apply to your agency’s network as it: 

  • may be connected to a wider government network
  • may link the new system to the contractor’s systems (a prime example is a cloud service)

In-service risk

Risks from the system design and integration stages of the  procurement may become issues during the in-service stage. 

 For example, a Victorian Government agency was the victim of a ransomware attack. The attack interrupted service delivery. It cost the agency resources to recover and restore information and systems. The evaluation of the incident found the agency’s systems were compromised through their ICT Managed Service Provider.

Given that an in-service period may be many years, the risks may change. Changes such as:

  • introducing new systems to the network or
  • external environment changes

As a result, it's important to review risks when changes occur.

Disposal risk

It is important to consider the risk associated with the method of asset disposal. Is there an opportunity for someone to recover information from the system during or after its disposal?

What should I do to keep information secure?

Each agency is accountable for managing the information security risks when buying goods and services. Agencies must manage the risks associated with the introduction of new goods or services, and their ongoing use and disposal. 

Agencies must also ensure contractors:

  • securely handle government information and
  • not introduce unacceptable risks

For more information on how to embed risk management of supply chains, please see Information security – supply chain risk management: 

When conducting a procurement, agencies should:

  • understand the risk of the procurement
  • include information security requirements
  • insert information security clauses into contract arrangements
  • evaluate offers and tenderers for their risk to government information and ICT assets
  • review the contracted goods/services for information security before and after implementation

Risk Rating

First focus on establishing what level of information security risk is associated with the buying activity.

A low risk rating has the following characteristics:

  • no physical access to government facilities
  • access to publicly accessible information
  • no connections to ICT networks or other systems
  • no critical business processes

A medium risk rating has the following characteristics:

  • supervised access to government facilities
  • access to sensitive information
  • connections to non-critical networks and systems

A high-risk rating has the following characteristics:

  • unsupervised access to government facilities
  • connections to critical systems and networks
  • essential services and/or processes
  • access to security classified information

Information security in goods and services requirements 

By understanding the level of risk, agencies will be able to put in place controls. To manage the information security risks you should (where appropriate):

  • work out the value and classification of the information or information asset/system being purchased
  • document risk to people, information, assets and service delivery
  • use industry standards, frameworks, security benchmarks and tools to identify risk mitigation methods
  • put in place proportionate protective information security measures to manage the risk over the life of the arrangement
  • put in place appropriate security arrangements at the completion or termination of a contract

Requirements should include:

  • security functional requirements, such as security capabilities (e.g. intrusion detection)
  • security functions (e.g. incident response), and security mechanisms (e.g. use of cryptography)
  • security strength requirements, such as compliance with the Australian Signals Directorate Information Systems Security Manual Official requirements
  • security assurance requirements: 
    • development processes, procedures, practices, and methodologies
    • contractor’s breach notification requirements
    • evidence from development and assessment activities such as penetration testing or Information Security Registered Assessors Program assessments
  • supply of security-related documentation;
  • service level requirements (e.g. availability expectations)
  • privacy and confidentiality requirements; and access to source code (for custom built software)

Security requirements in the contract

Reinforce business requirements by including security requirements in the contract about:

  • the contractor maintaining an industry standard aligned information security program (e.g. ISO 27001)
  • limits of liability
  • confidentiality requirements for government data and information
  • service level agreements (SLAs) and rectification or compensation
  • contractor financial reporting
  • preventing data loss
  • contractor insurance 
  • contractor business continuity/disaster recovery plans
  • backup guarantees
  • warranties
  • breach notification 
  • requirements on contract negotiation
  • privacy
  • security functional requirements
  • security strength requirements
  • security-related documentation
  • security assurance requirements, including ongoing (e.g. penetration testing, iRAP (for cloud services), etc
  • goods/services acceptance criteria
  • termination capability

Please see the contract development information security checklist:

Evaluate offers and tenderers

As part of the offer evaluation, it is important to develop a detailed understanding of each tenderers’ security profile. This is to assess if they represent an acceptable level of organisational risk. Consider engaging people with appropriate expertise for this assessment. Experts could be risk managers, ICT staff or cyber security staff. 

Methods for assessing tenderers may include those listed below. These are ranked from least effective to most effective. Note that the level of effort by buyers and tenderers increases in line with effectiveness:

  • open source research
  • questionnaire
  • evaluation of security documentation
  • security rating service
  • written report from third party assessor
  • formal on-site evaluation by third party
  • formal on-site evaluation by agency expert staff

Please see the example of a tenderer information security audit:

Review the contracted ICT goods/services

Once the preferred tender is selected and entered into a contract, agencies should do a detailed review of risks.  Review the contracted goods/services for information security risks before and after implementation. A review before implementation ensures the goods/services are safe for your systems and connected networks. A review after implementation is conducted ensures implementation has occurred securely. 

There should also be regular reviews:

  • throughout the life of the contract and
  • when a significant change occurs in the network or
  • when asignificant change occurs in the external information security environment

References

Consider agency involvement of ICT and cyber security professionals in information security practices:

  • at the agency level
  • in individual procurements should be considered

 You may also find the reference materials below useful.

Using this guide 

This guide accompanies the goods and services supply policies. There are 5 supply policies: 

  • Governance policy 
  • Complexity and capability assessment policy 
  • Market analysis and review policy 
  • Market approach policy 
  • Contract management and disclosure policy 

This guide supports the Governance, Market analysis and review and Market approach policies. 

Tools and support

For more information contact the Chief Information Security Officer at the Department of Premier and Cabinet on Vicgov.ciso@dpc.vic.gov.au

Reviewed 24 August 2020

Buying for Victoria

Was this page helpful?