fbpx

The Growing Reliance and Risks of Third-Party Providers in Queensland Government Agencies

Third-Party Cyber Security: A Strategic Focus for Queensland Government Agencies

Insights and Recommendations from the Queensland Audit Office on Third-Party Security

Published on April 16, 2024, by the Queensland Audit Office, a new report highlights the increasing dependence of Queensland Government agencies on third-party providers. This shift brings an escalated inherent risk profile due to inadequate monitoring of these third parties’ compliance with Security Compliance obligations. The Queensland Audit Office’s published Forward work plan states that there is a strong focus on assisting Queensland Government Agencies to understand better their digital supply chain and the third-party risk factors involved, requiring continuous monitoring of Security Compliance.

The Queensland Audit Office points out that often, agencies may not fully grasp that when a third-party vendor provides services, they essentially become a part of the government entity’s network. This integration extends the entity’s control frameworks, which are crucial for protecting against, responding to, and recovering from cyber-attacks.

The key risks identified include:

  • Financial Risk: The potential financial implications of relying on third parties can be significant.
  • Reputational Risks: Data breaches can severely damage an agency’s public standing.
  • Operational Risks: Interruptions to business operations can arise from inadequate third-party services.

Future-Proofing Government Operations: The Critical Need for Robust Third-Party Risk Management

The Audit Office emphasises the need for robust governance in managing third-party provider risks, identifying three areas that often require attention:

  • Ineffective or Missing Controls: Some entities suffer from controls that are either ineffective or completely absent, leading to potential undetected misstatements in financial records.
  • Non-Compliance: There are recorded instances where entities fail to adhere to policies and legal regulations.
  • Inadequate Management of Risks: Many entities do not fully understand or manage the security risks posed by third-party service providers.

To combat these issues, the Queensland Audit Office recommends that leadership must establish a system for continuous monitoring of third-party providers, ensuring that these vendors are integrated into the entity’s control environment. This involves an obligation for government agencies to effectively liaise with third parties to obtain ongoing assurances about necessary controls.

Additionally, the audit objectives set for 2023-2026 focus on how effectively public sector entities:

  • Identify third parties who have access to their data and network.
  • Assess the security vulnerabilities the entity is exposed to through third parties.
  • Establish relevant controls to manage third-party cyber security risks.
  • Minimise the impact of third-party security breaches.

The report suggests confidence can be achieved when:

  • Reports from vendors specifically identify and provide timely insights into the effectiveness of vendor controls.
  • There is a clearly defined process understood by both customer and vendor, detailing the steps to be taken during control reviews and actions to be taken in the event of control breakdowns.

The article concludes by posing a critical question: “If you are not receiving a report from the vendor, how are you mitigating the risks to your entity from the third-party provider?”

By following these recommendations, agencies can ensure a more secure and compliant operational environment when dealing with third-party providers.

 

Source: Managing third party cyber security risks | Queensland Audit Office (qao.qld.gov.au)