Right Fit for Risk (RFFR)
What is Right Fit For Risk (RFFR)?
RFFR stands for Right Fit for Risk. RFFR was designed by the Department of Education, Skills and Employment (DESE) in late 2019. The initiative is a scheme targeted towards providers of contracted private employment services, who DESE engages with to assist job seekers for preparing and securing jobs. This scheme aims to ensure government owned data (including personal records of participants and other information) is safely held on the provider’s IT systems.
Under the Protective Security Policy Framework (PSPF) all Australian government departments are responsible for the protection of data entrusted to them. The department is accountable for ensuring that the contracted employment service providers used in the delivering of employment programs also comply with PSPF requirements.
The Right Fit for Risk requirements are based on the ISO 27001 standard as it is adaptable and well suited to small and medium sized organisations.
Historically, to gain certification as a preferred employment service provider to work with DESE, companies had to be IRAP assessed which was managed under the Pathway approach.
Why change from Pathway to RFFR methodology?
The experience using the Pathway approach indicated it was adversely impacted by:
- lack of scalability: same requirements apply to all shapes and sizes of org types and complexity
- dependence on IRAP assessors: predominantly based on the east coast of Australia
- inconsistent quality submissions causing accreditation delays and a significant workload for the department in reviewing submissions
- regular instances of providers not meeting submission deadlines
So, with the birth of RFFR, it should reduce complexity and align with the level of risk for providers. It is more adaptable and better suited to the varying sizes of providers.
External Systems Assurance Framework (ESAF) Overview
ESAF is the method DESE uses to gain assurance over provider’s IT systems. The ESAF was created to provide assurance for the department that the risk to their systems and confidential data stored outside of the department’s ICT environment is being managed responsibility.
- Third party employment systems
- Third party employment systems (TPES) – the responsibility lies with the provider to use only TPES accredited by DESE.
- Providers must contact the Digital Information Assurance Section (DIAS) for approval to use or change TPES.
- Refer to https://www.employment.gov.au/digital-information-assurance for the list of accredited TPES.
- Cloud Service Providers
- Cloud services must be accredited by ASD before providers can use them.
- Providers must review the ASD Cloud Computing Security documents. It describes the security risk mitigation associated with cloud computing. Furthermore, providers must perform due diligence reviews of the legal, financial, insurance and privacy risks associated with procuring cloud services.
How can Sekuro help your organisation Prepare For RFFR ISMS Certification?
At Sekuro, our trained Security Consultants will assist you in every step of the process, setting up your compliance framework, developing your SoA, assessing your information security risks, and guiding you through the implementation of the controls, by hosting workshops and transferring knowledge to your key stakeholders.
Our methodology includes identifying the strengths and weaknesses in your information security implementation and mapping them to your RFFR ISMS goals and compliance requirements.
What Is The Certification Process?
Sekuro’s auditors will examine your systems and supporting documentation to ensure your organisation’s RFFR ISMS is compliant with ISO 27001.
Once the implementation requirements are met, your organisation can be certified via accredited external certification bodies.