Dear National Disability Insurance Agency,

As of today (1 Oct 22) how may APIs (application programming interfaces) are there at the NDIA/NDIS? Are they all 'secure by design'? Have they all been cybersecurity tested and certified? Have they all be risk assessed and approved? Can I please have a copy of the report that confirms and sums all this up? Along with some information on the qualifications and experience of the individuals/vendors that conducted this recent, ongoing analysis.

Noting the NDIS/NDIA is not obligated, nor complies with the Australian Government's Protective Security Policy Framework (PSPF), can you please provide details on which/what specific cybersecurity standards and government level security standard(s) are used at the NDIS?

This includes all APIs used for bridging between applications, payments processing, connecting to participants bank accounts and details, provider billing, government integration, internal systems, data estate query, payment/shopping, accommodation, GST, etc connections.

Todays Australian Financial Review has some more information and context, if my request is unclear.

How the Optus breach will change corporate Australia forever

"The hack was reportedly to an unprotected API endpoint, which provides access to customer data, but Optus is only making us aware about the data that they are obliged to," "But this API may have data about credit history, account history or other attributes that are linked to my Optus profile. APIs are typically rich with data as they provide the backbone for applications to operate. Optus needs to be more open about this.
"I also fear that if it's true that this was a development environment, then it's also quite likely that a lot of the monitoring and logging required for deep forensic analysis simply won't exist, as it's often not turned on for development environments.
"This is a scary thought, as the reality for Optus in this case is that they will never know the true extent, in which case you have to only assume the worst, that all the data was exfiltrated," he says... lax protection shows businesses, such as Optus, have seemingly forgotten that customers' data doesn't belong to them, and says they should start treating it as a privilege to look after it."

https://www.afr.com/technology/how-the-o...

Yours faithfully,

Beverly

foi, National Disability Insurance Agency

Thank you for your email to the National Disability Insurance Agency
(NDIA) Freedom of Information (FOI) team.  

 

If your email relates to an FOI application made under the Commonwealth
Freedom of Information Act 1982 (FOI Act), the Agency will respond to you
as soon as practicable. 

 

This email address is for applications under the FOI Act only. The Agency
is unable to respond to non-FOI related enquiries sent to this email
address. Any correspondence received that is not an information access
request will not be responded to or forwarded.  

 

If you are seeking to access your personal documents, please consider
submitting your request through our [1]Participant Information Access
(PIA) web-form, which will allow the matter to be processed
administratively. 

 

Should you have a query unrelated to FOI, please contact us by emailing at
[2][email address] or via webchat at [3]NDIA Web Chat (ndis.gov.au).
Alternatively you can also contact us by phoning 1800 800 110. 

 

If you have any questions about making an FOI request, or to enquire about
a current FOI request, please email us with your phone number and a
preferred time for us to call you, and an FOI Decision Maker will call you
back. 

 

Kind regards 

 

Freedom of Information team 

Parliamentary, Ministerial & FOI Branch  

Government  

National Disability Insurance Agency 

Email: [4][NDIA request email]  

**********************************************************************
IMPORTANT: This e-mail is for the use of the intended recipient only and
may contain information that is confidential, commercially valuable and/or
subject to legal or parliamentary privilege. If you are not the intended
recipient you are notified that any review, re-transmission, disclosure,
dissemination or other use of, or taking of any action in reliance upon,
this information is prohibited and may result in severe penalties. If you
have received this e-mail in error please notify the sender immediately
and delete all electronic and hard copies of this transmission together
with any attachments. Please consider the environment before printing this
e-mail
**********************************************************************

References

Visible links
1. https://aus01.safelinks.protection.outlo...
2. mailto:[email address]
3. https://aus01.safelinks.protection.outlo...
4. mailto:[NDIA request email]

hide quoted sections

foi, National Disability Insurance Agency

3 Attachments

Dear Beverly

 

Freedom of Information Request: Acknowledgement

Thank you for your request of 1 October 2022, made under the Freedom of
Information Act 1982 (FOI Act), for copies of documents held by the
National Disability Insurance Agency (NDIA).

 

Scope of your request

You have requested access to the following documents:

 

As of today (1 Oct  22) how may APIs (application programming interfaces)
are there at the NDIA/NDIS? Are they all 'secure by design'? Have they all
been cybersecurity tested and certified? Have they all be risk assessed
and approved? Can I please have a copy of the report that confirms and
sums all this up? Along with some information on the qualifications and
experience of the individuals/vendors that conducted this recent, ongoing
analysis.

 

Noting the NDIS/NDIA is not obligated, nor complies with the Australian
Government's Protective Security Policy Framework (PSPF), can you please
provide details on which/what specific cybersecurity standards and
government level security standard(s) are used at the NDIS?

 

This includes all APIs used for bridging between applications, payments
processing, connecting to participants bank accounts and details, provider
billing, government integration, internal systems, data estate query,
payment/shopping, accommodation, GST, etc connections.

 

Unless you advise otherwise, we will take it that you agree to the names
and contact details of NDIA staff being excluded from the scope of your
request (that is, the information will be treated as irrelevant).

 

Processing timeframes

A 30-day statutory period for processing your request commenced from 2
October 2022 in accordance with section 15(2A)(c) of the FOI Act. You
should, therefore, expect a decision from us by 31 October 2022.

 

This period may be extended if we need to consult with third parties or
for other reasons. We will advise you if this happens.

 

Charges

We may apply a processing charge to your request and will advise you as
soon as practicable if a charge is payable.

 

Disclosure Log

Information released under the FOI Act may be published on the NDIA’s
disclosure log located on our website, subject to certain exceptions.

If you have any concerns about the publication of information you have
requested, please contact us.

 

Further help

Please contact us at [1][NDIA request email] if you have any questions or need
help.

We will contact you using the email address you provided. Please advise if
you would prefer us to use an alternative means of contact.

 

Kind regards

 

Freedom of Information Officer

Parliamentary, Ministerial and FOI Branch

Government Division

National Disability Insurance Agency

E: [2][NDIA request email]

 

[3]Title: NDIS delivered by the National Disability Insurance Agency

[4]LGBTIQA+ rainbow graphic

The NDIA acknowledges the Traditional Custodians of Country throughout
Australia and their continuing connection to land, sea and community. We
pay our respects to them and their cultures and to Elders past, present
and emerging.

[5]Aboriginal and Torres Strait Islander flags graphic

 

**********************************************************************
IMPORTANT: This e-mail is for the use of the intended recipient only and
may contain information that is confidential, commercially valuable and/or
subject to legal or parliamentary privilege. If you are not the intended
recipient you are notified that any review, re-transmission, disclosure,
dissemination or other use of, or taking of any action in reliance upon,
this information is prohibited and may result in severe penalties. If you
have received this e-mail in error please notify the sender immediately
and delete all electronic and hard copies of this transmission together
with any attachments. Please consider the environment before printing this
e-mail
**********************************************************************

References

Visible links
1. mailto:[NDIA request email]
2. mailto:[NDIA request email]
4. https://intranet.ndiastaff.ndia.gov.au/h...

hide quoted sections

foi, National Disability Insurance Agency

4 Attachments

Dear Beverly

 

Thank you for your request for information.

 

Please find attached correspondence in relation to your request. If you
require the attachment in a different format, please let us know.

 

Please contact us at [1][NDIA request email] if you have any questions or
require help.

 

Kind regards

 

Freedom of Information Officer

Parliamentary, Ministerial and FOI Branch

Government Division

National Disability Insurance Agency

E: [2][NDIA request email]

 

[3]Title: NDIS delivered by the National Disability Insurance Agency

[4]LGBTIQA+ rainbow graphic

The NDIA acknowledges the Traditional Custodians of Country throughout
Australia and their continuing connection to land, sea and community. We
pay our respects to them and their cultures and to Elders past, present
and emerging.

[5]Aboriginal and Torres Strait Islander flags graphic

 

**********************************************************************
IMPORTANT: This e-mail is for the use of the intended recipient only and
may contain information that is confidential, commercially valuable and/or
subject to legal or parliamentary privilege. If you are not the intended
recipient you are notified that any review, re-transmission, disclosure,
dissemination or other use of, or taking of any action in reliance upon,
this information is prohibited and may result in severe penalties. If you
have received this e-mail in error please notify the sender immediately
and delete all electronic and hard copies of this transmission together
with any attachments. Please consider the environment before printing this
e-mail
**********************************************************************

References

Visible links
1. mailto:[NDIA request email]
2. mailto:[NDIA request email]
4. https://intranet.ndiastaff.ndia.gov.au/h...

hide quoted sections

Josh left an annotation ()

Compromised API led to data theft of 37 million T-Mobile customers... just saying. https://www.itworldcanada.com/article/co...