Policy 6: Security governance for contracted goods and service providers
- Security governance
This policy guides how to assess and manage security risks when procuring goods and services. It supports the Commonwealth Procurement Rules that govern how entities procure goods and services.
When entities procure goods and services, they should consider quality security outcomes as a key factor in determining value for money. It is important that entities balance the effort to assess and manage the procurement risks against the scale, scope and risk of the procurement. This will reduce the likelihood of additional financial and non-financial costs to government.
As part of the procurement, entities must also identify and document the security risks to their people, information and assets, as well as the strategies in place to mitigate them.
When developing procurement documents (such as requests for tender and subsequent contracts), entities must include relevant security provisions and appropriate protections. To achieve this, we encourage entities to include terms and conditions in their procurement documents.
We encourage entities to perform ongoing assessments to evaluate whether a contract service provider is complying with contract conditions. For example, to regularly inspect premises that store Australian Government information or assets, or monitor an ongoing accreditation program. It can help to identify a contract manager who is responsible for monitoring and reviewing risk for each contract.
Timely and thorough reporting of any incidents is important throughout the life of the contract. This allows entities to investigate and, if necessary, to adjust security procedures and contract conditions to mitigate security risks. It also allows entities to implement additional safeguards to avoid further security incidents.
When a contract is completed or terminated, entities must apply appropriate security arrangements. This helps to safeguard government resources and limit the potential compromise of sensitive or classified resources.