NDIS - APIs, Security, Risk and Assurance
Dear National Disability Insurance Agency,
As of today (1 Oct 22) how may APIs (application programming interfaces) are there at the NDIA/NDIS? Are they all 'secure by design'? Have they all been cybersecurity tested and certified? Have they all be risk assessed and approved? Can I please have a copy of the report that confirms and sums all this up? Along with some information on the qualifications and experience of the individuals/vendors that conducted this recent, ongoing analysis.
Noting the NDIS/NDIA is not obligated, nor complies with the Australian Government's Protective Security Policy Framework (PSPF), can you please provide details on which/what specific cybersecurity standards and government level security standard(s) are used at the NDIS?
This includes all APIs used for bridging between applications, payments processing, connecting to participants bank accounts and details, provider billing, government integration, internal systems, data estate query, payment/shopping, accommodation, GST, etc connections.
Todays Australian Financial Review has some more information and context, if my request is unclear.
How the Optus breach will change corporate Australia forever
"The hack was reportedly to an unprotected API endpoint, which provides access to customer data, but Optus is only making us aware about the data that they are obliged to," "But this API may have data about credit history, account history or other attributes that are linked to my Optus profile. APIs are typically rich with data as they provide the backbone for applications to operate. Optus needs to be more open about this.
"I also fear that if it's true that this was a development environment, then it's also quite likely that a lot of the monitoring and logging required for deep forensic analysis simply won't exist, as it's often not turned on for development environments.
"This is a scary thought, as the reality for Optus in this case is that they will never know the true extent, in which case you have to only assume the worst, that all the data was exfiltrated," he says... lax protection shows businesses, such as Optus, have seemingly forgotten that customers' data doesn't belong to them, and says they should start treating it as a privilege to look after it."
https://www.afr.com/technology/how-the-o...
Yours faithfully,
Beverly
Thank you for your email to the National Disability Insurance Agency
(NDIA) Freedom of Information (FOI) team.
If your email relates to an FOI application made under the Commonwealth
Freedom of Information Act 1982 (FOI Act), the Agency will respond to you
as soon as practicable.
This email address is for applications under the FOI Act only. The Agency
is unable to respond to non-FOI related enquiries sent to this email
address. Any correspondence received that is not an information access
request will not be responded to or forwarded.
If you are seeking to access your personal documents, please consider
submitting your request through our [1]Participant Information Access
(PIA) web-form, which will allow the matter to be processed
administratively.
Should you have a query unrelated to FOI, please contact us by emailing at
[2][email address] or via webchat at [3]NDIA Web Chat (ndis.gov.au).
Alternatively you can also contact us by phoning 1800 800 110.
If you have any questions about making an FOI request, or to enquire about
a current FOI request, please email us with your phone number and a
preferred time for us to call you, and an FOI Decision Maker will call you
back.
Kind regards
Freedom of Information team
Parliamentary, Ministerial & FOI Branch
Government
National Disability Insurance Agency
Email: [4][NDIA request email]
References
Visible links
1. https://aus01.safelinks.protection.outlo...
2. mailto:[email address]
3. https://aus01.safelinks.protection.outlo...
4. mailto:[NDIA request email]
Dear Beverly
Freedom of Information Request: Acknowledgement
Thank you for your request of 1 October 2022, made under the Freedom of
Information Act 1982 (FOI Act), for copies of documents held by the
National Disability Insurance Agency (NDIA).
Scope of your request
You have requested access to the following documents:
As of today (1 Oct 22) how may APIs (application programming interfaces)
are there at the NDIA/NDIS? Are they all 'secure by design'? Have they all
been cybersecurity tested and certified? Have they all be risk assessed
and approved? Can I please have a copy of the report that confirms and
sums all this up? Along with some information on the qualifications and
experience of the individuals/vendors that conducted this recent, ongoing
analysis.
Noting the NDIS/NDIA is not obligated, nor complies with the Australian
Government's Protective Security Policy Framework (PSPF), can you please
provide details on which/what specific cybersecurity standards and
government level security standard(s) are used at the NDIS?
This includes all APIs used for bridging between applications, payments
processing, connecting to participants bank accounts and details, provider
billing, government integration, internal systems, data estate query,
payment/shopping, accommodation, GST, etc connections.
Unless you advise otherwise, we will take it that you agree to the names
and contact details of NDIA staff being excluded from the scope of your
request (that is, the information will be treated as irrelevant).
Processing timeframes
A 30-day statutory period for processing your request commenced from 2
October 2022 in accordance with section 15(2A)(c) of the FOI Act. You
should, therefore, expect a decision from us by 31 October 2022.
This period may be extended if we need to consult with third parties or
for other reasons. We will advise you if this happens.
Charges
We may apply a processing charge to your request and will advise you as
soon as practicable if a charge is payable.
Disclosure Log
Information released under the FOI Act may be published on the NDIA’s
disclosure log located on our website, subject to certain exceptions.
If you have any concerns about the publication of information you have
requested, please contact us.
Further help
Please contact us at [1][NDIA request email] if you have any questions or need
help.
We will contact you using the email address you provided. Please advise if
you would prefer us to use an alternative means of contact.
Kind regards
Freedom of Information Officer
Parliamentary, Ministerial and FOI Branch
Government Division
National Disability Insurance Agency
E: [2][NDIA request email]
[3]Title: NDIS delivered by the National Disability Insurance Agency
[4]LGBTIQA+ rainbow graphic
The NDIA acknowledges the Traditional Custodians of Country throughout
Australia and their continuing connection to land, sea and community. We
pay our respects to them and their cultures and to Elders past, present
and emerging.
[5]Aboriginal and Torres Strait Islander flags graphic
References
Visible links
1. mailto:[NDIA request email]
2. mailto:[NDIA request email]
4. https://intranet.ndiastaff.ndia.gov.au/h...
Dear Beverly
Thank you for your request for information.
Please find attached correspondence in relation to your request. If you
require the attachment in a different format, please let us know.
Please contact us at [1][NDIA request email] if you have any questions or
require help.
Kind regards
Freedom of Information Officer
Parliamentary, Ministerial and FOI Branch
Government Division
National Disability Insurance Agency
E: [2][NDIA request email]
[3]Title: NDIS delivered by the National Disability Insurance Agency
[4]LGBTIQA+ rainbow graphic
The NDIA acknowledges the Traditional Custodians of Country throughout
Australia and their continuing connection to land, sea and community. We
pay our respects to them and their cultures and to Elders past, present
and emerging.
[5]Aboriginal and Torres Strait Islander flags graphic
References
Visible links
1. mailto:[NDIA request email]
2. mailto:[NDIA request email]
4. https://intranet.ndiastaff.ndia.gov.au/h...
Josh left an annotation ()
Compromised API led to data theft of 37 million T-Mobile customers... just saying. https://www.itworldcanada.com/article/co...