What you need to know about security and GovCMS

To report a security issue on GovCMS, raise a support ticket.

GovCMS provides hosting for websites that contain publicly available information with a security classification up to Official:Sensitive.

GovCMS Software as a Service (SaaS) customers get high quality security protection and compliance. Our services include website protection and ongoing website security assessments including IRAP. We also provide security patching, support and 24/7 monitoring. You are responsible for staff user accounts and content.

GovCMS Platform as a Service (PaaS) customers have greater responsibilities. PaaS websites don’t receive the same level of protection as provided to SaaS customers. PaaS customers need to ensure their website is secure. You'll need to do your own security updates and patching as well as installation of module updates. Web protection services are an optional extra.

The Platform layer for PaaS is also rated to Official:Sensitive. Customers with PaaS websites are responsible for the Drupal application layer, user accounts, and content. Be mindful of your responsibility for others working with you such as external service providers and developers. Custom development can expose you to vulnerabilities.

Security features

Software as a Service (SaaS)

Platform as a Service (PaaS)

Security accredited (IRAP assessed)

Everything is covered. You don’t need to undertake your own assessment.

You still need to consider undertaking a risk assessment.

Infrastructure layer only is covered. You are responsible for the Drupal application layer.

You need to do your own IRAP at your own cost.

Security updates

All patching including security updates is managed by us.

You’re responsible for all patching including security updates or you can pay a service provider.

Web protection service

CDN, WAF and

Part of the service - no extra cost.

Web protection is an additional cost.

CMS Maintenance

We do it for you.

Updates to the CMS are rolled out to all SaaS customers.

You can access the GovCMS Distribution for updates but need to deploy the changes to your own websites or you can pay a service provider.

Website protection services

The GovCMS web protection services prevent website threats and attacks. It includes Web Application Firewall.

If you are a SaaS customer this service is inclusive in your plan. PaaS customers can choose to include this option at an additional cost.

Information Security Registered Assessors Program (IRAP)

The IRAP accreditation is a security assessment performed by a registered assessor.

The GovCMS platform has completed an IRAP assessment against the Australian Government Information Security Manual (ISM).

The GovCMS platform has undergone an IRAP assessment against the 2019 ISM to be accredited to OFFICIAL: Sensitive.

What does this mean for you?

Though you can store OFFICIAL: Sensitive information it doesn’t mean you should. The Privacy Act and Australian Privacy Principles have set out obligations that need to be followed. This means giving notice if you are going to collect information.

Talk to your Privacy Officer if you are thinking of using GovCMS to collect information. This is especially important if your site has web forms in it. Your responsibilities under the Information Security Manual (ISM) and Protective Security Policy Framework (PSPF) include risk assessment and diligence.

Two-factor authentication

Why TFA?

Multi-factor authentication (sometimes referred to as Two-Factor Authentication or 2FA) is mandatory and enforced on the GovCMS platform as per the Information Security Management (ISM) guidelines provided by the Australian Cyber Security Centre ( Two-factor authentication uses two separate authentication factors to confirm a user’s identity, adding an extra level of protection to user accounts.

The GovCMS platform has been audited by a member of the InfoSec Registered Assessors Program (IRAP) and is accredited for use in accordance with the ISM and Protective Security Policy Framework (PSPF) for data classified up to OFFICIAL: Sensitive.

The Australian Cyber Security Centre website had more information on the how and what of multi-factor authentication.

Generic, common or shared user accounts

Having uniquely identifiable users ensures accountability for access to systems and their resources. Generic, common or shared usernames and passwords are not condoned under the ISM guidelines. Any use of generic, common or shared accounts is not in line with this control, and therefore not supported on GovCMS.

Secure Sockets Layer (SSL) certificates

Sites hosted on SaaS must use Secure Sockets Layer (SSL) security certificates for web content. GovCMS manages a shared SSL certificate. Each organisation's website domain name is added.

One URL for each organisation will be added to the shared certificate. It’s critical any supporting URLs have correct redirects in place.

PaaS customers can manage their own security certificates.

During the onboarding phase you will receive information and instructions.

Risk assessments and security plans

According to the Australian Government Information Security Manual (ISM) and Protective Security Policy Framework (PSPF), risk assessments of your organisation’s cloud services are your responsibility.

Organisations must perform due diligence. This includes reviews of financial, privacy, data ownership and data sovereignty. It also includes legal risks with contracting cloud computer services.

The System Security Plans are available on request. These can be provided to the organisation’s nominated IT Security Advisor.

Privacy impact assessments

A privacy impact assessment (PIA) is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact.

PIAs are an important component in the protection of privacy, and should be part of the overall risk management and planning processes of APP entities.

More information about PIAs can be found on the Office of the Australian Information Commissioner (OAIC) website.

Privacy Impact Assessment Template

GovCMS is providing a PIA template as a starting point for use by agencies on the GovCMS platform. This template has been created in consultation with our legal advisors.

Please note: Completing a PIA is a business decision you need to make in consultation with your privacy team. GovCMS doesn’t require you to do one. We also don’t provide advice, review, or approve your assessment. The Office of the Australian Information Commissioner (OAIC) provides information on conducting a PIA threshold assessment. This can help determine if a PIA is required.


More information and resources

We’ve included some links to resources you may find useful:

This page was last updated on Friday 22 October 2021