With some 48,000 contracts, worth an estimated $14.8 billion, entered into by federal government departments annually, security procedures for dealing with contractors still require improvement, according to the Australian National Audit Office (ANAO).
In a recent report titled Managing Security Issues in Procurement and Contracting, the ANAO examined 44 contracts, including at least 20 related to IT, across four agencies to evaluate whether they were effectively managing security risks arising from the use of contractors.
The Australian Customs Service, Commonwealth Superannuation Administration, the Department of Finance and Administration, and the Department of Foreign Affairs and Trade were involved in the audit. The Attorney General's Department, responsible for the administration of the Protective Security Manual (PSM) was also consulted.
The PSM is the main source of protective security policies, principles and responsibilities for Australian government agencies, and prescribes the "minimum protective security standards" for agencies to maintain, including protecting the official information it generates and receives.
The audit focused on two broad types of contracting arrangements: contracting of security functions; and contracting of any service or business function that may require contractors to access sensitive or security classified information.
Overall, the ANAO concluded that the audited agencies were effectively managing security risks during the procurement phase when contracting out security functions, or functions that may require contractors to access sensitive information; however, the audit identified scope to improve the management of security risks once contractors had been appointed.
Interestingly, of the four audited agencies, there was a record of one recent security breach involving a contract examined during the audit.
"While this suggests that contractors may have largely adhered to security requirements, the ANAO notes that security breaches are sometimes not reported," according to the report. "In this regard, one of the audited agencies did not have a system to effectively monitor and report such incidents."
With an estimated asset base of $206 billion across the general government sector, contracting is an integral part of the way Australian government agencies conduct business.
Another area cited as lacking in security are training programs for new contractors.
Here agencies could have improved processes and practices to ensure appointed contractors attend security training; monitor contractors' adherence to security requirements in contracts; and reassess security risks in contracts when circumstances changed substantially, or when contracts were extended significantly beyond their original life.