Legislative Council: Tuesday, February 07, 2023


Auditor-General's Report

In reply to the Hon. T.A. FRANKS ().15 November 2022).

The Hon. K.J. MAHER (Minister for Aboriginal Affairs, Attorney-General, Minister for Industrial Relations and Public Sector): I have been advised:

The South Australian Protective Security Framework (SAPSF) and the South Australian Cyber Security Framework (SACSF) state that government agencies must manage security risks to government information arising from external service suppliers by:

Ensuring cybersecurity obligations addressing identified risks are included in all agreements with suppliers.

Obtaining assurance from suppliers that they are meeting their cybersecurity obligations upon contract award and periodically thereafter.

Minimum requirements for the security of government data and compliance with these security frameworks are currently being incorporated into standard contract templates and clauses issued by the Department of Treasury and Finance.

Treasurer's Instruction 18 on procurement, and its supporting policies, are currently being updated to reflect the government's election commitments. As part of these changes, it will be made clear that chief executives are responsible for ensuring that internal agency processes meet whole-of-government policy requirements for procurement governance and contract management associated with cybersecurity.

There are varying resources and skills available across government to appropriately manage supplier cybersecurity risks in procurement and provide ongoing assurance of contractual requirements in accordance with policy. The Department of the Premier and Cabinet is developing a program to uplift supplier cyber security risk management across all levels of procurement in government. Additional resources will be aligned with existing processes, so that risk can be managed to a consistent standard.