CSU Partnership Arrangement

This Partnership Arrangement is intended to outline and formalise a partnership:-

BETWEEN

  • The State of Queensland acting through Queensland Government Cyber Security Unit within Queensland Government Customer and Digital Services of the Department of Communities, Housing and Digital Economy (“CSU”) of Level 5, 140 Creek Street, Brisbane QLD 4001.

AND

  • the “Client”

Collectively referred to as “the Parties”.

Purpose

The purpose of this Partnership Arrangement is to:

  • Initiate a partnership between the CSU and the Client to promote the uptake of Cyber Security Services with the aim of increasing the protection of Queensland government information systems from cyber security threats.
  • Enhance cooperative and effective working arrangements between the CSU and the Client to benefit the collective Queensland government cyber security community.
  • Recognise industry-led cyber security approaches as a key component of the policy mix in delivering secure and resilient Queensland government information systems.
  • Progress a whole-of-state approach to policy and planning processes related to cyber security as part of an effective balance between regulatory and voluntary approach.

Guiding Principles

Vision

To develop an exceptional strategic relationship that is based on trust, reciprocity, collaboration, mutual benefits and continuous improvements.

Mission

To work collaboratively and in partnership to improve and uplift the collective Queensland government cyber security capabilities.

Principles

The Partnership Arrangement is founded on the following principles:-

  • Trust: the Parties commit to working together in good faith toward the shared vision and common mission in an environment of open, honest, transparent and timely communication and information sharing.
  • Reciprocity: the Parties will treat each other respectfully and thoughtfully taking into account each other’s particular interest and perspectives with issues to be resoled as quickly as possible at the lowers responsible level.
  • Collaboration: the Parties commit to cooperate fully in satisfying the purpose of the Partnership Arrangement and also in supporting the others interest.
  • Mutual Benefits: the Parties commit to a win/win relationship where the risks and benefits are shared and both Parties receive value from the relationship established under the Partnership Arrangement.
  • Continuous Improvements: the Parties will continually strive to improve the relationship and commit to delivering improvements and knowledge sharing for the purposes of building innovation in their cyber security capabilities.

Background

The Queensland Government Chief Information Security Officer (QGCISO) and the Queensland Government Cyber Security Unit (CSU) are guiding an uplift in the maturity of cyber security governance and executive level understanding of the cyber threat including:

CSU is now extending their scope to other government providers of critical infrastructure and services such as Government Owned Corporations (GOC’s), Statutory Bodies and Queensland Local Government Associations/Councils. CSU is currently also able to assist this broader Queensland government cohort with a range of Cyber Security Services and capabilities utilising both internal and external supply partners.

CSU is required to comply with the Queensland Government Enterprise Architecture (QGEA) including any reporting requirements. QGEA states that other government bodies must have regard to the QGEA and where other government bodies use a service, application or technology owned by a Queensland Government (QG) Department, that body must also apply the relevant policies applicable for that asset. Furthermore, as part of this Partnership Arrangement CSU encourages the Client to familiarise itself with QGAE and use it as best practice guidance.

Period

The Partnership Arrangement is a continuous arrangement that will operate between the parties on an ongoing basis.

Working in Partnership

To advance the purpose of this Partnership Arrangement the parties agree to:

  • cooperate with each other and act reasonably as may be required for the purposes of this Partnership Arrangement;
  • diligently perform their obligations under this Partnership Arrangement in a professional manner;
  • have mutually supportive roles and responsibilities to provide an adequate level of resources into the establishment, implementation, maintenance and continual improvement of information security management initiatives;
  • effectively communicate with CSU to ensure the success of this Partnership Arrangement; and
  • consult with each other on emerging issues relevant to the Partnership Arrangement, ensuring that any information is provided in a timely and effective way.

Reciprocity and Transparency

In the context of cyber security, reciprocity is the practice of exchanging Cyber Threat Intelligence (CTI) with intelligence peers for mutual benefit, especially CTI produced by intelligence peers that would otherwise be unavailable through other sources. The QG and the Client are encouraged to share and enrich intelligence as well as receive CTI to ensure that all intelligence peers are contributing to the QG CTI capability.

A shared model of trust, confidentiality, and collaboration allows QG and the Client to share intelligence in an open and transparent manner to alert intelligence peers to emerging threats. The CSU has established methods to de-identify parties when they share CTI, should they elect to do so. Anonymised CTI can be shared with QG CTI peers whilst still protecting the identity of the source.

As outlined in the Information access and use policy (IS33), the parties should share as much CTI as possible to help others protect their environments. This will only occur if we work together to maximise sharing to protect QG interests. CTI Capability within QG relies on the parties receiving, enriching, and sharing intelligence to benefit QG collectively and intelligence peers.

CSU Cyber Security Services

Effective June 2019, the Cabinet formally approved the continued funding of CSU and its associated Cyber Security Program, including resources, services and initiatives, for a further four (4) year period.

As part of the Cyber Security Program, CSU has established a number of contractual arrangements in line with the Queensland Government Procurement Policy 2019 with various suppliers to deliver a broad range of Cyber Security Services. These Cyber Security Services have assigned funding and specific licence quantities that CSU proactively manages and distributes across the broader Queensland government landscape to support and improve the collective cyber security capabilities.

Subject to available funding and licence quantities, CSU wishes to provide the Client with an opportunity to leverage these Cyber Security Services. The Cyber Security Services will be provisioned through CSU under existing contractual arrangements with its suppliers and will be governed by the same terms and conditions. If required and necessary. The Client will be afforded direct service relationship with the relevant Cyber Security Services suppliers for the purpose of addressing any technical or ongoing service management requirements.

Responsibilities and Cyber Security Service Provision

The Parties agree to the following responsibilities and provisions:

  • Comply and uphold the Partnership Agreement terms and conditions;
  • CSU will manage the distribution of the funded licence quantities for any Cyber Security Services required by the Client under this Partnership Arrangement on a case-by-case basis to be agreed in writing between the Parties.
  • In the event that the available funding and/or the licence quantities for any Cyber Security Services are exhausted, any costs associated with the additional Cyber Security Services required by the Client may be addressed in a separate written agreement between the Parties.
  • To pursue the purpose of the Partnership Arrangement and in a spirit of cooperation, including maintaining regular contact to promote its effective implementation:-
    • CSU will provide regular reporting to the Client that outlines the Cyber Security Services usage statistics for any relevant Cyber Security Services consumed.
    • CSU will provide the Client the opportunity to query such statistics within thirty (30) days of receiving the report and raise any performance issues associated with the Cyber Security Services.
    • In return, CSU is seeking regular feedback and any other constructive information from the Client to be provided to CyberSecurityUnit@chde.qld.gov.au in relation to the consumption and performance of the Cyber Security Services.
  • CSU is responsible for managing supplier relationship with the suppliers provisioning the Cyber Security Services and will manage any performance issues raised by the Client with the supplier.
  • CSU will not be responsible for any loss or damage incurred by the Client in respect to the provision of Cyber Security Services unless the loss or damage is caused or contributed by the negligence of CSU.
  • Should any of the Cyber Security Services provided under this Partnership Agreement be terminated by CSU for any reason, including contractual reasons, supplier non-performance (and any other reason), a written notification will be provided to the Client by CSU. CSU will use reasonable endeavours to provide earliest possible notice to minimise the impact of such termination.
  • The Client remains accountable and responsible for their own system and information security.
  • The Client is responsible for sharing and communicating any cyber security incident response activities and threat intelligence with CSU.
  • The Parties agree to actively share and build on the knowledge base associated with cyber security.

Review Meeting

To advance and manage the purpose of this Partnership Arrangement the Parties agree to hold twice yearly review meetings, or as otherwise required and agreed between the Parties to:-

  • discuss the operations and performance of the Partnership Arrangement;
  • discuss any requirements associated with the Partnership Arrangement;
  • provide constructive feedback and improvements relating to the Partnership Arrangement;
  • discuss emerging issues relevant to the Partnership Arrangement;
  • address any other matters raised by the Parties.

Contact Officers

The following contact email address is the initial point of contact between the parties in relation to this Partnership Arrangement:-

CSU Contact

Address:               Level 5, 140 Creek Street, Brisbane QLD 4001

Email:                    CyberSecurityUnit@chde.qld.gov.au

Any written notices associated with the Partnership Arrangement are to be addressed to the above email address.

Confidentiality

The Parties agree to hold the other's Confidential Information obtained by the Parties (whether directly or indirectly) as part of the Partnership Arrangement in strict confidence. Each Party as Recipient must:-

(a) keep confidential all Confidential Information of the Discloser.

(b) not use the Confidential Information except for the purposes of the Partnership Arrangement; and

(c) not disclose the Confidential Information except:

  • to its representatives on a need to know basis for the purpose of performing its obligations under the Partnership Arrangement.
  • with the Discloser’s consent;
  • to the extent required by law;
  • to its professional advisors;
  • to a Minister, their advisors or Parliament;
  • as required under the Right to Information Act or the Information Privacy Act; or
  • as required as part of any QG policy or reporting obligations.

Resolution

Any issues or differences that may arise as part of the Partnership Arrangement between the Parties will be raised with the Contact Officers in order to work together and use reasonable endeavours to reach mutually agreeable resolution.

Should the Contact Officers not reach resolution within ten (10) Business Days then the matter may be escalated to the Parties senior management or executive management representatives for further negotiation and resolution. Noting that the Parties will encourage proactive problem solving and joint resolution of issues in the spirit of cooperation under this Partnership Arrangement.

Risk

The Parties agree that they enter into this Partnership Arrangement entirely at their own risk without exception on the basis that the Parties will work together to achieve mutual benefits.

The Parties indemnify each other from any claims that may arise in relation to this Partnership Arrangement.

Governing Law

Where applicable, the laws of the State of Queensland govern this Partnership Arrangement and the Parties submit to the exclusive jurisdiction of the courts of Queensland.

Definitions

Business Day

means any day other than a Saturday, Sunday or public holiday in the state of Queensland.

Confidential Information

means all information disclosed by or on behalf of the Parties (Discloser) to the other party (Recipient) in connection with the Partnership Arrangement or created using that information, which is confidential in nature and designated as confidential, or which a reasonable person receiving the information would realise is sensitive or confidential, and all information to the extent it is derived from that information. For clarity Confidential Information includes information that is comprised in or relating to any Intellectual Property Rights as well as Personal Information.

Confidential Information does not include any information which:

(a) is or becomes public, except through breach of a confidentiality obligation;

(b) the Recipient can demonstrate was already in its possession or was independently developed by the Recipient; or

(c) the Recipient receives from another person on a non-confidential basis, except through breach of a confidentiality obligation.

Cyber Security

Measures used to protect the confidentiality, integrity and availability of systems and information from cyber threats.

Cyber Security Incident

A cyber security incident is a single or series of unwanted or unexpected event(s) that impact the confidentiality, integrity or availability of a network or system or the information that it stores, processes, or communicates.

Information Privacy Act

means the Information Privacy Act 2009 (Qld).

Information Security Policy (IS18:2018)

Identifying and managing risks to information, applications and technologies, through their lifecycle, using Information Security Management Systems.

Intellectual Property Rights

includes copyright, trade mark, design, patent, semiconductor or circuit layout rights, trade, business or company names, or other proprietary rights, or any rights to registration of such rights existing in Australia, whether created before on or after the Commencement Date of this Partnership Arrangement.

Personal Information

has the meaning given:

  1. for the purposes of the Information   Privacy Act - in that Act; or
  2. for the purposes of the Privacy Act -   in that Act.

Privacy Act

means the Privacy Act 1988 (Cth).

Right to Information Act

means the Right to Information Act 2009 (Qld).


Last Reviewed: 07 February 2022