Core expectations

Under the Right Fit for Risk (RFFR) approach the Department requires Providers, as a minimum, to implement and manage a set of core expectations to maintain and enhance their security posture.

On this page:

RFFR Core Expectations: Personnel security

As part of processes to bring new people into the organisation, Providers must:

  • identify the individual and positively confirm the individual’s identity
  • verify the competency of the individual by verifying qualifications, certifications and experience provided on their Curriculum Vitae
  • obtain a satisfactory police check for the individual
  • satisfactorily complete Working with Vulnerable People checks as required by individual states and territories
  • confirm the individual has a valid right to work in Australia – a person who is not an Australian citizen must hold appropriate work entitlements
  • verify that the individual has successfully completed initial and ongoing security awareness training programs with content and timing tailored to their role
  • execute contracts which state that responsibilities for information security and non-disclosure requirements continue post termination
  • implement higher levels of assurance for individuals that have privileged or administrative levels. The additional personnel expectations include for individuals to be Australian citizens or permanent residents to give them sufficient connection with Australia and will be willing and able to undertake a suitability background check.

RFFR Core Expectations: Physical security

Providers are required to implement physical security measures that minimise the risk of information and physical assets being:

  • made inoperable or inaccessible
  • accessed, used or removed without appropriate authorisation.

All Providers are expected to meet physical security expectations. Permanent facilities are to be commercial-grade facilities located within Australia. A facility is any physical space where business is performed to support the provision of Government services. For example, a facility can be a building, a floor of a building, or a designated space on the floor of a building.

Providers allowing staff to work from home need to consider how the home environment can be configured to protect staff, program data and IT physical assets in the same manner as in the office environment. Personnel are to be aware of their environment when they use mobile devices to access and communicate program data, especially in public areas. In such locations personnel are to take extra care to ensure conversations are not overheard and data is not observed.

RFFR Core Expectations: Cyber security

Providers are required to implement cyber security measures that include:

  • the Essential Eight cyber security strategies;
  • information security risk management;
  • information security monitoring;
  • managing cybersecurity incidents;
  • restricted access controls.

Essential eight cyber security strategies

The Australian Cyber Security Centre (ACSC) has developed the Essential Eight strategies to mitigate cyber security incidents.

Providers are required to determine a target maturity level for each of the Essential Eight cyber security strategies that reflects the organisation’s risk profile and develop plans to achieve target levels over time. The Department requires that Providers initially implement controls supporting the Essential Eight cyber security strategies to achieve Maturity Level One on ACSC’s published maturity model. The strategies include:

  • application control: to control the execution of unauthorised software. This prevents unknown and potentially malicious programs executing in your environment.
  • patch applications: to remediate known security vulnerabilities in application software. Security vulnerabilities in applications can be used to execute malicious code. Using the latest version of applications and promptly applying patches when vulnerabilities have been identified will keep your environment robust.
  • configure Microsoft Office macro settings: to block untrusted macros. Microsoft Office macros can be used to deliver and execute malicious code. This strategy will only allow macros from trusted locations with limited write access, or those digitally signed with a trusted certificate, to run.
  • application hardening: to protect against vulnerable functionality. Flash, ads and Java on the internet are popular ways to deliver and execute malicious code. This strategy requires the removal of unneeded features in Microsoft Office, web browsers and PDF viewers.
  • restrict administrative privileges: to limit powerful access to systems. The access required by administrator accounts means they hold the keys to your IT kingdom. Minimise the number of these accounts and the level of privileges assigned to each account.
  • patch operating systems: to remediate known security vulnerabilities. Security vulnerabilities in operating systems can be used to further the compromise of systems. Do not use unsupported versions. Using the latest version of operating systems and promptly applying patches when vulnerabilities have been identified will limit the extent of cyber security incidents.
  • multi-factor authentication: to protect against user accounts being inappropriately accessed. Stronger user authentication makes it harder for adversaries to access information and systems. MFA requires a combination of two or more factors made up of secret information (such as an ID/password combination), data uniquely bound to a physical device (such as an authenticator app on a registered smartphone or a one-time SMS code), and data uniquely bound to a physical person (a biometric measure such as facial recognition or a fingerprint).
  • regular backups: to maintain the availability of critical data and systems. This strategy assists with accessing information following a cyber security incident. Backups of data, software and configuration settings, stored disconnected from your main environment, can be used to recover from an incident. Regular testing of backups ensure it can be recovered, and that all critical data is covered by the backup regimen.

Information security risk management

Providers are required to implement measures that embed information security risk management practices in their business. This includes applying a formal risk management process to identify, assess and respond to information security risks the Provider faces because of the deeds.

Information security monitoring

Providers are required to implement measures for managing vulnerabilities and managing changes to their systems. These should be designed to regularly identify new system vulnerabilities and address them in a timely manner using a structured change management process.

A structured change management process provides an opportunity for the risks associated with each change to be considered, and the changes prioritised according to business need. A structured change management process also ensures system changes are made in an accountable manner with appropriate testing and approvals.

Managing cybersecurity incidents

Providers are required to develop a formal approach to cybersecurity incident management that addresses Information Security Manual (ISM) guidance. Controls should be designed to detect and respond to cyber security incidents, to report incidents internally and to external stakeholders (including the Department) as appropriate, and to keep appropriate records of security incidents. 

As a key element of security incident detection, Providers should implement controls to log security-related events occurring in their IT systems and to audit these logs on a regular basis.

Restricted access controls

Providers are required to implement measures designed to uniquely identify, authenticate and authorise people accessing their systems. As well as measures designed to log and detect security-related events occurring in systems.

Access to systems and the data they process, store or communicate must be controlled through strong user identification and authentication practices. Such measures are equally applicable to all account types including user accounts, privileged accounts and service accounts.

An important note about third parties

Providers should note that they remain accountable for ensuring that any subcontractors delivering the Services on their behalf understand, implement and maintain a standard of security that reflects the Provider’s own obligations under their Deeds.

This principle is also relevant when external parties delivering services to or on behalf of the Provider have the potential to access premises, systems or information requiring protection under Deeds. For example, a contracted Managed Services Provider firm who administers your ICT systems on your behalf is likely to have a very high level of access to those systems and the data stored within.

Providers must take steps to ensure that RFFR security requirements are in place and operate effectively throughout their supply chain. Further information regarding management of third parties can be found in the “Management of Third Parties” publications on the Resources page.