govCMS is suitable for “unclassified” websites containing unclassified and publicly available information.
govCMS uses a shared security model.
Agencies using the govCMS Software as a Service (SaaS) get high quality security protection and security compliance for much less that they might pay individually. Other than looking after staff user accounts and content, which remain the responsibility of the agency, security is managed by Finance and our service provider.
The benefits for agencies include security patching, support and 24/7 monitoring. The ongoing assessment of security by Finance, ensures that agencies are not burdened by having to undertake their own security assessment.
Site protection features
Websites hosted in the govCMS SaaS environment have automatic protection against distributed denial of service (DDoS) attacks, and the service includes a content delivery network (CDN) which improves site performance by caching content.
The SaaS environment also includes a web application firewall (WAF), which filters, monitors, and can block traffic to and from a govCMS site. By monitoring traffic, a WAF can prevent attacks coming from application security flaws, such as Structured Query Language (SQL) injection, Cross-Site Scripting (XSS) and security misconfigurations. Read more about site protection.
PaaS customers are encouraged to make use of DDoS, CDN and WAF services. On PaaS, these services can be purchased at an additional cost. A number of suppliers have packages available. Find out more about govCMS suppliers.
The SaaS component of the govCMS Site Factory was security accredited by the Department of Finance on 8 May 2015 at the unclassified level for govCMS customer/agency systems and information hosted in the Amazon Web Services (AWS) Asia Pacific (Sydney) region.
The infrastructure layer of AWS cloud services is accredited. Further information about cloud services is available from the Certified Cloud Services List managed by the Australian Signals Directorate.
Encryption of site visits using SSL security certificates
All sites hosted on the govCMS SaaS environment must use Secure Sockets Layer (SSL) security certificates for their public facing web content.
govCMS manages a shared SSL certificate to which each agency's website domain name is added. More about configuring an agency domain for SaaS hosting.
The govCMS SaaS content publishing environment is secured by default with it's own SSL certificate.
PaaS customers have the ability to manage their own security certificates. SSL certificates can be added to their dev, test and production environments via an online configuration tool.
Both the SaaS and PaaS platforms have completed a thorough Information Security Registered Assessors Program (IRAP) assessment against the Australian Government Information Security Manual (ISM).
The SaaS platform covers:
- Drupal Layer, including an automated site review tool (Acquia Insight)
- Network Layer Security
- Operating System Layer Security, including patches and vulnerability scans
- Platform Controls, including backups and 24x7 monitoring
- Physical Security
- Corporate Controls, including policies and procedures, change control, incident reporting, and security training
For the PaaS Platform, given that custom development can introduce vulnerabilities, the Agency takes responsibility for the Drupal application layer. The System Security Plan for both platforms is available from Finance. Contact the govCMS team for a copy.
In accordance with the Australian Government Information Security Manual (ISM) and Protective Security Policy Framework (PSPF), agencies are responsible for conducting a risk assessment of their use of cloud services, and performing due diligence reviews of the financial, privacy, data ownership, data sovereignty and legal risks associated with contracting cloud computing services.
Further information on security compliance:
- Protective Security Policy Framework
- Australian Government Information Security Manual (ISM)
- Australian Signals Directorate (ASD) cloud computing security considerations
- Risk management of outsourced ICT arrangements (including Cloud)
Privacy guidance is included in the Privacy Act and the Australian Privacy Principles (APPs).
If you detect or suspect an incident, threat or weakness relating to your Agency website hosted on govCMS, report it by raising a support ticket as soon as possible.