Industry partners to Australian government are well versed in information handling requirements.
However, recent changes to the Australian Government’s protective marking scheme (in force from October 2020) have put fresh emphasis and responsibility on partners to Government. Many suppliers also have a requirement to manage their own intellectual property and commercially sensitive information.
As part of an important supply chain, contractors who fail to comply with information handling requirements risk jeopardising existing and future contracts.
One clear mandate is for partners to be able to comprehensively identify, manage, secure and classify information. Not only within their own infrastructure environment, but also when sending and receiving files externally.
At a minimum, partners must comply with the following security frameworks:
- the Australian Government Protective Security Policy Framework (PSPF)
- the Australian Government Information Security Manual (ISM)
- for any Australian Government Defence business, the Defence Security Principles Framework (DSPF) and the Defence Industry Security Program (DISP).
The DSPF was updated late 2020 to a principles-based framework, aligning Defence to the PSPF and the ISM. It's encapsulated in the 'DSPF Governance and Executive Guidance 31 July 2020' publication.
DISP membership is a mandatory requirement in any of the following circumstances:
- when working on classified information or assets
- when storing or transporting weapons or explosive ordnance
- when providing security services for Defence bases and facilities
- if there is a Defence business requirement for DISP membership in the contract.
For the exceptions to this, visit the Eligiblity and Suitability section of the DISP website. While DISP membership may not be mandated in all circumstances, it is highly recommended when working on any Defence project.
WHY INFORMATION MANAGEMENT IS PART OF GOVERNMENT CONTRACTOR TERMS
Careful handling of customer information has always been a requirement of government, defence and commercial contracts. The advent of electronic information has increased the speed and volume of information transmission and loss.
Common errors are often the result of inadvertent actions by employees. These include emailed information that should not have been transmitted, incorrect attachments transmitted, incorrect recipients added to the email, or a combination.
Errors like these are easily made, yet can have significant implications. If your customers are government or your organization is part of a Defence supply chain, it is likely the information handled has an extra dimension of sensitivity when compared to commercial information. The implications of information mismanagement for national security, defence, trade, national safety and more can be critical.
Protecting against the damaging implications of information mismanagement is why government and Defence agencies require compliance for classified information handling. For contractors, protection of information extends beyond Confidentiality and Non-Disclosure Agreements to include compliance with standardised security frameworks, including PSPF and for defence contractors DSPF and, now, the DISP.
WHO IS RESPONSIBLE FOR INFORMATION MANAGEMENT?
When sensitive information of any kind needs to be communicated, the author and sender of that information has responsibility for its handling and it follows, most possibly would have liability for a breach in its handling.
However, teams sharing information electronically are not always aware, skilled or up-to-date in information handling requirements. The average employee is measured by how well they perform their jobs, not by how well they protect information.
So it becomes the responsibility of the Risk Management Team and/or IT Security Team to proactively plan for how information is handled securely across, and beyond, the organization. For correct information handling to be part of the business process and easily understood by employees, simple technology-based controls are necessary, such as information classification.
For comprehensive information protection and compliance, we recommend every organization makes a distinction between public and confidential information on each email transaction. Knowing the fallibility of humans, every organization will benefit from taking steps to introduce technology and processes to safely handle information.
GETTING STARTED WITH INFORMATION MANAGEMENT
Some agencies have standardised, sophisticated information handling requirements and expect contractors to match their methodology. Others won’t require contractors to use their marking scheme. Yet others again adopt a risk-based approach and expect contractors to have information handling requirements already in place.
Regardless of contractual responsibilities in government or defence contracts, we recommend organisations make plans to take care of their own information assets and to nurture a security-conscious culture. Contractors whose controls are found to be lacking, either through a failed audit or loss or mishandled information will likely be told to immediately correct the shortcomings or risk losing the contract.
A fast, easy, cost effective start point is email security markings. These markings are visible in email trails, giving government and Defence organisations quick insight to the contractors who are able identify and control sensitive information, and those who can’t.
BENEFITS OF INFORMATION MANAGEMENT
In addition to meeting compliance requirements, benefits of information security and classification solutions include:
- reduction in accidental loss of data by:
- easy identification of sensitive information
- improved, secure access to sensitive data
- raising employee awareness around data sensitivity
- seamless integration with data loss prevention (DLP) solutions
- prevention of data loss from insider threats
- improved rules-based DLP practices
- electronic records management.
BEST PRACTICE FOR INFORMATION MANAGEMENT
Organisations who securely manage information typically use a simple tiered classification methodology. A tiered methodology offers employees classification options relevant to their role, the information being handled and the clearance levels of the recipient. A tiered scheme also gives your organization the flexibility to meet multiple customer, commercial or legislative requirements.
For more information, or to schedule time for a conversation specific to your requirements, please contact us via the form below: