NDIS: Protective Security Policy Framework (PSPF) & Cybersecurity - obligated or not?

The request was partially successful.

Dear National Disability Insurance Agency,

You seem to be on a hiring blitz for cybersecurity folk. As of 13 Nov 22, you have no less than 6 cyber security positions you are trying to fill, all seemingly new roles.

1. Director Cyber Security Risk & Compliance (Canberra) https://www.seek.com.au/job/59173631
2. Director Cyber Security Risk & Compliance (Geelong) https://www.seek.com.au/job/59173632
3. Assistant Director Cyber Security Operations Centre (Capability Development) (Sydney) https://www.seek.com.au/job/59086662
4. Assistant Director Cyber Security Operations Centre (Capability Development) (Geelong) https://www.seek.com.au/job/59086570
5. Assistant Director Cyber Security Operations Centre (Capability Development) (Canberra) https://www.seek.com.au/job/59086597
6. Assistant Director Cyber Security Operations Centre (Capability Development) (Canberra) https://www.seek.com.au/job/59086645

All Assistant Director Roles state: "A new role awaits - The Protective and Cyber Security Branch implements the requirements of the Protective Security Policy Framework (PSPF) and Information Security Manual (ISM) within the Agency. This is achieved by providing strategic, Agency-wide oversight of Security across security governance, information security, personnel security, physical security, and cyber security and operations."

Whereas the Director Roles state: "Ensuring that the Agency meets all legislated and regulatory responsibilities for Agency information technology security, including remaining up to date with amendments to the Information Security Manual (ISM) and the Protective Security Policy Framework (PSPF)."

This seems odd or mistaken. As the NDIA/NDIS has repeatedly stated that the PSPF has nothing to do with the NDIS and the NDIA have no obligations what so ever to follow or adhere to the Commonwealth Government's Protective Security Policy Framework.

"As a corporate Commonwealth entity, the Agency is required to adhere to the PSPF.", page 5, NDIS/NDIA Agency Security Plan, Sep 2020 seems somewhat at odds with the NDIS' declaration that "The NDIA is a Corporate Commonwealth Entity (CCE) which means that the Agency is NOT required to adhere to the PSPF", page 3, FOI 21/22-1320 - Notification of Decision, 2 May 22
https://www.righttoknow.org.au/request/n...

Repeatedly refuted and denied by the NDIS:

1. Data/information security - Salesforce (FOI 20/21-0873) 30 Jul 21
https://www.righttoknow.org.au/request/d...

2. NDIA Project Risk Management Policy and Procedure (FOI 20/21-0872) 11 Jun 21
https://www.righttoknow.org.au/request/n...

3. NDIS APIs, Security, Risk and Assurance (FOI 22/23-0600) 25 Oct 22
https://www.righttoknow.org.au/request/n...

4. NDIS Register of Security Designated Positions (FOI 21/22-0864) 11 Mar 22
https://www.righttoknow.org.au/request/n...

5. NDIS: Security Plan, Security Quality Assurance Policy & Personnel Security - PSPF (FOI 21/22-1320) 2 May 22
https://www.righttoknow.org.au/request/n...

So, my questions are:

1. Who specifically provided the advice that the NDIA was not required to comply with or follow the PSPF? Job title and location will suffice
2. Noting all these new roles and requirements, was the person(s) consulted at the NDIS at the time qualified and competent to answer questions on cyber/security and the PSPF?
3. As the NDIS seems to have overnight sought to align with and comply with the PSPF, please provide a copy of the instruction or directive to do so.
4. Has there been (or is there) an investigation into providing inaccurate, seemingly false or potentially misleading information about the NDIS security (cyber included) obligations, compliance and assurance requirements?
5. Prior to this new found support and embracing of the PSPF, which specific security standards and framework did the NDIS/NDIA employ, attest to, report to the Attorney General's Department or provide guarantees, compliance or alignment with to any other Government/public entity?
6. Please provide a copy of the requirement and approval for all these new, sudden cyber security roles. Has the threat changed?
7. How many NDIS staff, contractors, providers and participants have been affected or compromised as a result of the Medibank, Optus, Australian Clinical Labs, or any other data breach, compromise or hack?

No doubt all this change will summed up and clarified further in the recent device security and cyber security question around BYODs
https://www.righttoknow.org.au/request/n...

Yours faithfully,

Florence

foi, National Disability Insurance Agency

Thank you for your email to the National Disability Insurance Agency
(NDIA) Freedom of Information (FOI) team.   

  

If your email relates to an FOI application made under the Commonwealth
Freedom of Information Act 1982 (FOI Act), we will respond to you as soon
as practicable.  

 

This email address is for applications under the FOI Act only. Our team is
unable to respond to non-FOI related enquiries sent to this email address.
Any correspondence received that is not related to an FOI request will not
be responded to or forwarded. 

 

Please be aware: due to a high volume of requests, our ability to respond
to you in a timely manner has been affected. However, we will action your
request as soon as possible. 

 

Information about how to make an FOI request can be found on our website:
[1]Freedom of Information | NDIS. 

 

The FOI Act sets out the criteria that must be met for a request to be
considered. The request you send us must: 

* be in writing 
* state that the request is an application for the purposes of the FOI
Act 
* provide enough information to allow us to identify the documents you
are requesting 
* provide an address for reply, either electronic or hard copy. 

If you are seeking access to personal documents such as an NDIS Plan or
medical reports, please consider submitting your request through our
[2]Participant Information Access (PIA) web-form, This process will enable
you to receive applicable documents administratively, which is an easier
process than through the FOI Act. 

  

If you have any questions about making an FOI request, or to enquire about
a current FOI request, please email us with your preferred contact method
and an FOI Decision Maker will contact you.  

 

Should you have a query unrelated to FOI, please contact the Agency by
emailing at [3][email address] or via webchat at [4]NDIA Web Chat
(ndis.gov.au). Alternatively, you can also contact us by phoning 1800 800
110.  

  

Kind regards  

  

Freedom of Information Team 

Parliamentary, Ministerial and FOI Branch 

Government Division 

National Disability Insurance Agency 

E: [5][NDIA request email]  

show quoted sections

References

Visible links
1. https://www.ndis.gov.au/about-us/policie...
2. https://aus01.safelinks.protection.outlo...
3. mailto:[email address]
4. https://aus01.safelinks.protection.outlo...
5. mailto:[NDIA request email]

Florence left an annotation ()

Remembering, the NDIS has never ever had non-Australian Citizens work there:
https://www.righttoknow.org.au/request/n...

Hired anyone for roles without prior experience and qualifications in the key area of management
https://www.righttoknow.org.au/request/n...

Was ever impacted by the Log4j2 vulnerability
https://www.righttoknow.org.au/request/n...

Complied with all data storage (on shore, etc) required by a government entity
https://www.righttoknow.org.au/request/n...

And can access them accordingly (and lawfully)
https://www.righttoknow.org.au/request/n...

foi, National Disability Insurance Agency

3 Attachments

Dear Florence

 

Freedom of Information Request: Acknowledgement

Thank you for your request of 13 November 2022, made under the Freedom of
Information Act 1982 (FOI Act), for copies of documents held by the
National Disability Insurance Agency (NDIA).

 

The NDIA has other ways to access more quickly the documents and
information that we hold. Please visit our [1]Access to Information
webpage to find out more about accessing information through:

·       The [2]myplace portal for participants

·       The [3]myplace portal for providers

·       The [4]Participant Information Access (PIA) scheme

·       The [5]Information Publication Scheme (IPS)

 

You can also request data and statistics outside of the FOI Act. Please
visit our [6]Data and insights webpage for further information.

If you decide to access your documents from the above sources please
respond to this email by copying the below and we will withdraw your FOI
request.

Hello FOI Team,

Thank you for your email. I confirm that I withdraw the FOI request.

Many thanks

Processing timeframes

If you wish to maintain a Freedom of Information request, please be
advised that due to a large increase in FOI requests over recent months,
we are currently experiencing delays in processing matters. As a result,
we are unlikely to process your matter within the legislative deadlines.
We are now seeking your agreement to extend the processing time by an
additional 30 days under section 15AA of the FOI Act. If you agree to this
extension, you can expect to receive a decision from us on or before 12
January 2023.

 

If you do not agree to the proposed extension of time, or you do not
provide a response to our request, we may need to seek an extension of
time with the Information Commissioner under section 15AB of the FOI Act.
Therefore, we ask that you please provide a response by 5 December 2022.

 

A 30-day statutory period for processing your request commenced from 14
November 2022, in accordance with section 15(2A)(c) of the FOI Act.
Therefore, the legislated deadline is 13 December 2022.

 

Processing periods may be extended if we need to consult with third
parties or for other reasons. We will advise you if this happens.

 

Further help

Please contact us at [7][NDIA request email] if you have any questions or need
help.

We will contact you using the email address you provided. Please advise if
you would prefer us to use an alternative means of contact.

 

Kind regards

 

Freedom of Information Officer

Parliamentary, Ministerial and FOI Branch

Government Division

National Disability Insurance Agency

E: [8][NDIA request email]

 

[9]Title: NDIS delivered by the National Disability Insurance Agency

[10]LGBTIQA+ rainbow graphic

The NDIA acknowledges the Traditional Custodians of Country throughout
Australia and their continuing connection to land, sea and community. We
pay our respects to them and their cultures and to Elders past, present
and emerging.

[11]Aboriginal and Torres Strait Islander flags graphic

 

 

 

 

show quoted sections

References

Visible links
1. https://aus01.safelinks.protection.outlo...
2. https://aus01.safelinks.protection.outlo...
3. https://aus01.safelinks.protection.outlo...
4. https://aus01.safelinks.protection.outlo...
5. https://aus01.safelinks.protection.outlo...
6. https://aus01.safelinks.protection.outlo...
7. mailto:[NDIA request email]
8. mailto:[NDIA request email]
10. https://aus01.safelinks.protection.outlo...

foi, National Disability Insurance Agency

5 Attachments

Dear Florence

Thank you for your request for information.

 

Please find attached correspondence and documents in relation to your
request. If you require these in a different format, please let us know.

 

Please contact us at [1][NDIA request email] if you have any questions or
require help.

 

Thank you.

 

Kind regards

 

Ankit
Freedom of Information Officer

Parliamentary, Ministerial and FOI Branch

Government Division

National Disability Insurance Agency

E: [2][NDIA request email]

 

The NDIA acknowledges the Traditional Custodians of Country throughout
Australia and their continuing connection to land, sea and community. We
pay our respects to them and their cultures and to Elders past, present
and emerging.

 

 

[You don't often get email from
[3][FOI #9565 email]. Learn why this is
important at [4]https://aka.ms/LearnAboutSenderIdentific... ]

 

Dear National Disability Insurance Agency,

 

You seem to be on a hiring blitz for cybersecurity folk. As of 13 Nov 22,
you have no less than 6 cyber security positions you are trying to fill,
all seemingly new roles.

 

1. Director Cyber Security Risk & Compliance (Canberra) 
[5]https://aus01.safelinks.protection.outlo...

2. Director Cyber Security Risk & Compliance (Geelong)
[6]https://aus01.safelinks.protection.outlo...

3. Assistant Director Cyber Security Operations Centre (Capability
Development) (Sydney)
[7]https://aus01.safelinks.protection.outlo...

4. Assistant Director Cyber Security Operations Centre (Capability
Development) (Geelong)
[8]https://aus01.safelinks.protection.outlo...

5. Assistant Director Cyber Security Operations Centre (Capability
Development) (Canberra)
[9]https://aus01.safelinks.protection.outlo...

6. Assistant Director Cyber Security Operations Centre (Capability
Development) (Canberra)
[10]https://aus01.safelinks.protection.outlo...

 

All Assistant Director Roles state: "A new role awaits - The Protective
and Cyber Security Branch implements the requirements of the Protective
Security Policy Framework (PSPF) and Information Security Manual (ISM)
within the Agency. This is achieved by providing strategic, Agency-wide
oversight of Security across security governance, information security,
personnel security, physical security, and cyber security and operations."

 

Whereas the Director Roles state: "Ensuring that the Agency meets all
legislated and regulatory responsibilities for Agency information
technology security, including remaining up to date with amendments to the
Information Security Manual (ISM) and the Protective Security Policy
Framework (PSPF)."

 

This seems odd or mistaken. As the NDIA/NDIS has repeatedly stated that
the PSPF has nothing to do with the NDIS and the NDIA have no obligations
what so ever to follow or adhere to the Commonwealth Government's
Protective Security Policy Framework.

 

"As a corporate Commonwealth entity, the Agency is required to adhere to
the PSPF.", page 5, NDIS/NDIA Agency Security Plan, Sep 2020 seems
somewhat at odds with the NDIS' declaration that "The NDIA is a Corporate
Commonwealth Entity (CCE) which means that the Agency is NOT required to
adhere to the PSPF", page 3, FOI 21/22-1320 - Notification of Decision, 2
May 22

[11]https://aus01.safelinks.protection.outlo...

 

Repeatedly refuted and denied by the NDIS:

 

1. Data/information security - Salesforce (FOI 20/21-0873) 30 Jul 21

[12]https://aus01.safelinks.protection.outlo...

 

2. NDIA Project Risk Management Policy and Procedure (FOI 20/21-0872) 11
Jun 21

[13]https://aus01.safelinks.protection.outlo...

 

3. NDIS APIs, Security, Risk and Assurance (FOI 22/23-0600) 25 Oct 22

[14]https://aus01.safelinks.protection.outlo...

 

4. NDIS Register of Security Designated Positions (FOI 21/22-0864) 11 Mar
22

[15]https://aus01.safelinks.protection.outlo...

 

5. NDIS: Security Plan, Security Quality Assurance Policy & Personnel
Security - PSPF (FOI 21/22-1320) 2 May 22

[16]https://aus01.safelinks.protection.outlo...

 

So, my questions are:

 

1. Who specifically provided the advice that the NDIA was not required to
comply with or follow the PSPF? Job title and location will suffice 2.
Noting all these new roles and requirements, was the person(s) consulted
at the NDIS at the time qualified and competent to answer questions on
cyber/security and the PSPF?

3. As the NDIS seems to have overnight sought to align with and comply
with the PSPF, please provide a copy of the instruction or directive to do
so.

4. Has there been (or is there) an investigation into providing
inaccurate, seemingly false or potentially misleading information about
the NDIS security (cyber included) obligations, compliance and assurance
requirements?

5. Prior to this new found support and embracing of the PSPF, which
specific security standards and framework did the NDIS/NDIA employ, attest
to, report to the Attorney General's Department or provide guarantees,
compliance or alignment with to any other Government/public entity?

6. Please provide a copy of the requirement and approval for all these
new, sudden cyber security roles. Has the threat changed?

7. How many NDIS staff, contractors, providers and participants have been
affected or compromised as a result of the Medibank, Optus, Australian
Clinical Labs, or any other data breach, compromise or hack?

 

No doubt all this change will summed up and clarified further in the
recent device security and cyber security question around BYODs

[17]https://aus01.safelinks.protection.outlo...

 

Yours faithfully,

 

Florence

 

-------------------------------------------------------------------

 

Please use this email address for all replies to this request:

[18][FOI #9565 email]

 

Is [19][NDIA request email] the wrong address for Freedom of Information
requests to National Disability Insurance Agency? If so, please contact us
using this form:

[20]https://aus01.safelinks.protection.outlo...

 

This request has been made by an individual using Right to Know. This
message and any reply that you make will be published on the internet.
More information on how Right to Know works can be found at:

[21]https://aus01.safelinks.protection.outlo...

 

Please note that in some cases publication of requests and responses will
be delayed.

 

If you find this service useful as an FOI officer, please ask your web
manager to link to us from your organisation's FOI page.

 

 

show quoted sections