Security
On this page
What you need to know about security and GovCMS
To report a security issue on GovCMS, raise your concern via the Contact Us page.
GovCMS provides hosting for websites that contain publicly available information with a security classification up to OFFICIAL: Sensitive.
GovCMS Software as a Service (SaaS) customers get high quality security protection and compliance. Our services include website protection and ongoing website security assessments including IRAP. We also provide security patching, support and 24/7 monitoring. You are responsible for staff user accounts and content.
GovCMS Platform as a Service (PaaS) customers have greater responsibilities. PaaS websites don’t receive the same level of protection as provided to SaaS customers. PaaS customers need to ensure their website is secure. You'll need to do your own security updates and patching as well as installation of module updates. Web protection services are an optional extra.
The Platform layer for PaaS is also rated to OFFICIAL: Sensitive. Customers with PaaS websites are responsible for the Drupal application layer, user accounts, and content. Be mindful of your responsibility for others working with you such as external service providers and developers. Custom development can expose you to vulnerabilities.
| Security features | Software as a Service (SaaS) | Platform as a Service (PaaS) |
|---|---|---|
| IRAP assessed |
Everything is covered. You don’t need to undertake your own assessment. You still need to consider undertaking a risk assessment. |
Infrastructure layer only is covered. You are responsible for the Drupal application layer. You need to do your own IRAP at your own cost. |
| Security updates | All patching including security updates is managed by us. | You’re responsible for all patching including security updates or you can pay a service provider. |
|
Web protection service CDN, WAF and |
Part of the service - no extra cost. | Web protection is an additional cost. |
| CMS Maintenance |
We do it for you. Updates to the CMS are rolled out to all SaaS customers. |
You can access the GovCMS Distribution for updates but need to deploy the changes to your own websites or you can pay a service provider. |
Website protection services
The GovCMS web protection services prevent website threats and attacks. It includes Web Application Firewall.
If you are a SaaS customer this service is inclusive in your plan. PaaS customers can choose to include this option at an additional cost.
Information Security Registered Assessors Program (IRAP)
An IRAP Assessment is a security assessment performed by an ASD endorsed cyber security professional.
The GovCMS platform has undergone and completed an IRAP assessment against the 2019 Australian Government Information Security Manual (ISM) at the OFFICIAL: Sensitive level.
What does this mean for you?
Though you can store OFFICIAL: Sensitive information it doesn’t mean you should. The Privacy Act and Australian Privacy Principles have set out obligations that need to be followed. This means giving notice if you are going to collect information.
Talk to your Privacy Officer if you are thinking of using GovCMS to collect information. This is especially important if your site has web forms in it. Your responsibilities under the Information Security Manual (ISM) and Protective Security Policy Framework (PSPF) include risk assessment and diligence.
Two-factor authentication
Why TFA?
Multi-factor authentication (sometimes referred to as Two-Factor Authentication or 2FA) is mandatory and enforced on the GovCMS platform as per the Information Security Management (ISM) guidelines provided by the Australian Cyber Security Centre (www.cyber.gov.au). Two-factor authentication uses two separate authentication factors to confirm a user’s identity, adding an extra level of protection to user accounts.
The GovCMS platform has been assessed by a member of the InfoSec Registered Assessors Program (IRAP), in accordance with the ISM and Protective Security Policy Framework (PSPF), for data classified up to OFFICIAL: Sensitive.
The Australian Cyber Security Centre website had more information on the how and what of multi-factor authentication.
Generic, common or shared user accounts
Having uniquely identifiable users ensures accountability for access to systems and their resources. Generic, common or shared usernames and passwords are not condoned under the ISM guidelines. Any use of generic, common or shared accounts is not in line with this control, and therefore not supported on GovCMS.
Secure Sockets Layer (SSL) certificates
Traffic to all GovCMS sites must be on HTTPS using Transport Layer Security (TLS) encryption protocols which require a TLS/SSL certificate.
SaaS and PaaS sites that use the GovCMS Content Delivery Network (CDN) will be issued with a TLS/SSL certificate. The managed configuration of these certificates ensures that strong TLS protocol versions are supported. All PaaS sites without a subscription to the GovCMS CDN must coordinate their own TLS/SSL certificate, that includes support for strong TLS (refer to latest version of ISM).
Instructions to support the deployment of a SSL certificate for all SaaS and PaaS sites using the GovCMS CDN will be made available during the onboarding process.
Risk assessments and security plans
According to the Australian Government Information Security Manual (ISM) and Protective Security Policy Framework (PSPF), risk assessments of your organisation’s cloud services are your responsibility.
Organisations must perform due diligence. This includes reviews of financial, privacy, data ownership and data sovereignty. It also includes legal risks with contracting cloud computer services.
The System Security Plans are available on request. These can be provided to the organisation’s nominated IT Security Advisor.
Privacy impact assessments
A privacy impact assessment (PIA) is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact.
PIAs are an important component in the protection of privacy, and should be part of the overall risk management and planning processes of APP entities.
More information about PIAs can be found on the Office of the Australian Information Commissioner (OAIC) website.
Privacy Impact Assessment Template
GovCMS is providing a PIA template as a starting point for use by agencies on the GovCMS platform. This template has been created in consultation with our legal advisors.
Please note: Completing a PIA is a business decision you need to make in consultation with your privacy team. GovCMS doesn’t require you to do one. We also don’t provide advice, review, or approve your assessment. The Office of the Australian Information Commissioner (OAIC) provides information on conducting a PIA threshold assessment. This can help determine if a PIA is required.
More information and resources
We’ve included some links to resources you may find useful: