X
Government

DIAC security threatened by flood of contractors

The information systems of Australia's Department of Immigration and Citizenship (DIAC) are at risk because the department has been flooded by 10,000 IT contractors, according to its director of protective security, Mark Handley.
Written by Liam Tung, Contributing Writer

A clarification was made to this story.
Read below for details.

The Department of Immigration and Citizenship's (DIAC) network has been threatened by a flood of IT contractors.

immigration-australia.jpg

Since 2003, the number of staff-security clearances DIAC processes annually has more than tripled from 800 to 2,500, according to Mark Handley, director of protective security at DIAC who spoke at The National Corporate Security Summit in Sydney today.

Some 90 per cent of DIAC's staff — temporary and permanent — require some level of security clearance and the demand for contractors shows no signs of slowing. "We're well on track to do 2,500 clearances this year," said Handley.

Security clearances, ranging from "protected" to "top secret", determine what systems and information staff can access while employed with the agency. These must comply with the Australian Government Protective Security Manual (PSM).

"If you do the maths, 10,000 clearances over four years for a department of less than 10,000, indicates there is a significant churn rate. That churn rate is mainly in contractors... And it's basically contractors coming in to work on a short term project and going out — that's where our clearances are mainly focused," said Handley.

To manage the higher level of staff-clearances, DIAC outsourced the process in 2004, which cost it AU$1 million per year, according to Handley. Currently, an internal team of 10 security clearance assessors handle priority cases (which make up a total of 10 per cent), while the bulk is handled by contracting companies.

"In Immigration we share much of the responsibility for security with our contracted service providers. For example, our larger providers may develop their own security policy — based on our interpretation of the PSM, of course... We have agreements with some companies that they will actually manage the security clearance process," he said.

Handley says that "empowering the contractor to be responsible and accountable for their security practices has resulted in excellent long term working relationships with our providers". However, offering a degree of autonomy has proved a headache too — especially when the term of a contract is about to end.

"We had a recent contract where we were tendering out our IT support systems. There was a problem there. [The incumbent provider] could access every nook and cranny of our process. That's why we cleared every single one of them to protect it. How could we protect commercial-in-confidence material from a professional who is concerned about his job?

"We had to go to extraordinary lengths. We even got our own separate network on a floor in a building that was compartmentalised from any other areas. We did not allow the IT company that was our incumbent at the time to provide us with any services for that network because there was material that directly affected the future of that company," said Handley.

"The problem is that commercial-in-confidence material can be much more damaging than top secret," he added.

DIAC's technology partner for the AU$496 million Systems for People overhaul is IBM. Other smaller providers include UXC, Fujitsu, EDS, Oracle, Siebel and smaller suppliers Tibco, RuleBurst and Apis Computing.

DIAC's on-going AU$200 million a year IT operations have previously been dominated by IT outsourcing company CSC; however, in January 2007 it handed an AU$140 million contract to Unisys. CSC recently signed a two-year deal worth AU$110 million to manage DIAC's mainframe and mid-range computing needs.

Editorial standards