Contractors must apply governance measures to maintain the security of our information, including a documentation framework and system audits.
Contractors must have an established security documentation framework including a hierarchical listing of all information security documentation and their relationships, or adopt the documentation structure and naming conventions of the Australian Government Information Security Manual (ISM).
Contractors must develop documentation to effectively manage the IT security framework for systems that store, process or communicate ATO information.
Key IT security documentation includes:
- information security policy
- security risk management plan (SRMP)
- system security plan (SSP)
- incident response plan (IRP)
- standard operating procedures (SOPs)
- security architecture design
- audit logging plans.
Security documentation should be maintained appropriately and should be:
- formally approved by an authorised person
- reviewed at least annually and after significant changes to the system.
See also:
System audits
Contractors must conduct audits every 18 months of their systems that store, process or communicate ATO information, and provide a report of results to us. A summary of the results and treatment of any identified risks are to be included in the security risk management plan.
You need to conduct audits on a regular basis that:
- compare the approved system documentation with the actual implementation
- determine the effectiveness of the implemented controls
- identify ineffective controls for remediation.
We reserve the right to require evidence of compliance to this cyber security requirement, and to inspect contractor process.
Contractors shall permit nominated ATO personnel to perform an IT security compliance review of contractor IT systems and operations as required. Contractors must provide suitable contacts and resources at the start of the contract so that nominated ATO personnel can verify your IT systems that store, process or communicate ATO information are operating securely.
Evidence collected may include documentation such as architecture diagrams, procedures and system output, and behaviour such as systems settings and log output.