Skip to content

The expert's guide to Right Fit For Risk (RFFR)


Introducing the Expert's Guide to Right Fit For Risk (RFFR)

The Right Fit For Risk (RFFR) Guide is an authoritative guide that provides individuals and organizations with the tools and knowledge they need to make informed decisions about their risk management strategies. This guide is designed to help individuals and organizations determine the right fit for their risk management needs, and it provides a comprehensive overview of the various risk management tools and strategies available. It also offers practical advice on how to assess risk and create a risk management plan that meets the unique needs of each individual or organization. The RFFR Guide is an invaluable resource for anyone looking to make informed decisions about their risk management strategies.



Overview of Right Fit For Risk (RFFR)

The Right Fit for Risk (RFFR) is an initiative designed to ensure the safety and security of government-owned data used by providers of contracted private employment services. This scheme was launched by the Department of Education, Skills and Employment (DESE) in late 2019, and it aims to help these providers prepare and secure jobs for job seekers while ensuring that any personal records and information are safely held on their IT systems.

The RFFR approach classifies providers and subcontractors into two categories: Category One, which includes those who deliver services to 2,000 or more individuals per annum because of all their deeds, and Category Two, which includes those who deliver services to fewer than 2,000 individuals per annum because of all their deeds. Providers are required to undertake an accreditation process with the Department to demonstrate that a secure ICT environment has been implemented. The Department is the accrediting authority and is required to assess and verify Providers as meeting the requirements under the RFFR framework. The RFFR requires Providers to complete a set of milestones and check in with the Department for progress to be reviewed, risk assessed, and to seek guidance on meeting the Department's requirements.

Under the RFFR approach, the Department requires providers, as a minimum, to implement and manage a set of core expectations to maintain and enhance their security posture. These core expectations include:

  1. Governance and Management: Providers must establish and maintain a security governance framework that includes the development and implementation of security policies, procedures, and standards. They must also have a designated security officer responsible for overseeing the security program.

  2. Risk Management: Providers must perform regular risk assessments and implement controls to mitigate identified risks. They must also maintain an inventory of information assets and classify them according to their level of sensitivity.

  3. Access Controls: Providers must implement appropriate access controls to ensure that only authorized individuals can access sensitive data. This includes the use of strong passwords, multi-factor authentication, and access controls based on the principle of least privilege.

  4. Network Security: Providers must implement appropriate network security measures to protect their systems from unauthorized access and attacks. This includes the use of firewalls, intrusion detection and prevention systems, and regular vulnerability scans.

  5. Incident Response: Providers must establish and maintain an incident response plan that outlines the procedures to be followed in the event of a security incident. They must also conduct regular security awareness training for their employees to ensure they can identify and respond to security incidents.

  6. Security Testing: Providers must conduct regular security testing, including vulnerability assessments and penetration testing, to identify and address security weaknesses.

  7. Data Protection: Providers must implement appropriate measures to protect sensitive data, including encryption, tokenization, and secure data disposal.

To maintain their certification status, providers and their subcontractors who are RFFR accredited are required to maintain their certification status through annual reporting and surveillance audits to ensure compliance with the RFFR standards. Providers with an existing accreditation will need to complete the annual and three-yearly audits based on the dates when the Department's accreditation was granted.

In summary, the RFFR initiative is designed to ensure the safety and security of government-owned data used by providers of contracted private employment services. Providers are required to implement a set of core expectations, including governance and management, risk management, access controls, network security, incident response, security testing, and data protection. They must also maintain their certification status through annual reporting and surveillance audits to ensure compliance with the RFFR standards.

Application of the RFFR approach using ISO 27001

The Risk Management Framework for Reliability and Resilience (RFFR) is a framework developed by the North American Electric Reliability Corporation (NERC) that is intended to help providers of bulk electric systems maintain and improve their system reliability and resilience. The framework includes a requirement that providers and third-party entities (TPEs) design and implement an Information Security Management System (ISMS) that is consistent with the requirements of ISO 27001. This approach ensures that the information security management system of an organization is consistent with international standards for information security.

ISO 27001 is a widely recognized information security standard that provides a systematic approach to managing information security within an organization. The standard is designed to help organizations of all sizes and types to keep their information assets secure. An ISMS that is consistent with ISO 27001 requires an organization to develop policies, procedures, and controls that are designed to protect the confidentiality, integrity, and availability of its information assets. The RFFR approach provides a framework that helps providers and TPEs to apply ISO 27001 in a way that is specifically tailored to the unique requirements of the bulk electric system.

The application of the RFFR approach using ISO 27001 includes the following steps:

  1. Define the scope of the ISMS: The scope of the ISMS should be clearly defined and documented. This should include a description of the information assets that will be protected, as well as the physical locations and information systems that will be included in the scope.

  2. Conduct a risk assessment: A risk assessment should be conducted to identify and assess the risks to the information assets that are included in the scope of the ISMS. This should include an analysis of the threats, vulnerabilities, and potential impacts of a security incident.

  3. Develop policies and procedures: Based on the results of the risk assessment, policies and procedures should be developed to address the identified risks. These policies and procedures should be consistent with the requirements of ISO 27001.

  4. Implement controls: Controls should be implemented to mitigate the risks that have been identified. These controls should be designed to protect the confidentiality, integrity, and availability of the information assets that are included in the scope of the ISMS.

  5. Monitor and review: The effectiveness of the ISMS should be monitored and reviewed on a regular basis to ensure that it remains effective and is aligned with the evolving needs of the organization. This includes conducting regular security audits and reviews, as well as updating policies and procedures as needed.

The application of the RFFR approach using ISO 27001 provides a comprehensive and systematic approach to managing information security within an organization. By implementing an ISMS that is consistent with the requirements of ISO 27001, providers and TPEs can help to ensure the reliability and resilience of their bulk electric systems. This approach provides a solid foundation for ensuring the security of critical infrastructure and helping to protect against a wide range of cyber threats.

What is the process for acreditation?

Accreditation is a critical process that verifies that a service or system meets a set of established standards. In the context of the Department of Health in Australia, the accreditation process verifies that Providers meet the requirements of the Right Fit for Risk (RFFR) framework. This process involves a series of steps that the Provider must complete before the Department can certify them as being secure.

The Process for Accreditation:

  1. Self-assessment: The first step in the accreditation process is for the Provider to complete a self-assessment. This involves a review of their ICT environment to identify any areas of weakness or vulnerability. The Provider must then develop a plan to address any issues that have been identified.

  2. Engagement with the Department: Once the self-assessment has been completed, the Provider must engage with the Department to seek guidance on meeting the Department's requirements. The Department will provide the Provider with a set of milestones that they must complete to demonstrate that they are on track to meeting the requirements of the RFFR framework.

  3. Security assessment: The Provider must engage an accredited assessor to undertake a security assessment of their ICT environment. The assessor will review the Provider's systems, policies, procedures and controls to determine if they meet the requirements of the RFFR framework.

  4. Assessment report: The assessor will provide the Provider with a report outlining the findings of the security assessment. This report will identify any areas of non-compliance and provide recommendations for how the Provider can improve their ICT environment.

  5. Corrective action: The Provider must implement corrective action to address any areas of non-compliance that have been identified in the security assessment report. The Provider must document their corrective action and provide evidence that it has been implemented.

  6. Department review: Once the Provider has completed all of the milestones and implemented corrective action, they must submit a report to the Department for review. The Department will review the report and make a determination on whether the Provider has met the requirements of the RFFR framework.

  7. Accreditation: If the Provider has met the requirements of the RFFR framework, the Department will accredit them. Accreditation is valid for three years, after which the Provider must undertake the accreditation process again.

The accreditation process for Providers under the RFFR framework is an important step in ensuring that the ICT environment is secure. The process involves a self-assessment, engagement with the Department, a security assessment, corrective action, and a review by the Department. Accreditation is valid for three years, after which the Provider must undertake the accreditation process again.

How to Prepare for RFFR ISMS Certification?

When preparing for RFFR ISMS certification, it is important to understand the three key milestones that will be examined by auditors throughout the accreditation process. These milestones are:

  1. The Initial Assessment: The initial assessment is the first step of the accreditation process. During this stage, the auditor will review your organisation’s current cyber security level and identify areas for improvement. It is important to ensure that you have the necessary documentation and processes in place to demonstrate your commitment to cyber security. This includes a risk assessment, a security policy, and a security plan.

  2. The Implementation of the ISMS: The implementation of the ISMS is the second step of the accreditation process. During this stage, the auditor will review your organisation’s implementation of the ISMS. This includes the implementation of the security controls, the processes for monitoring and reporting security incidents, and the procedures for responding to incidents. It is important to ensure that the ISMS is implemented correctly and that all security controls are properly configured and monitored.

  3. The Final Certification: The final certification is the third step of the accreditation process. During this stage, the auditor will review your organisation’s compliance with the RFFR ISMS standards. This includes the review of the security controls, the processes for monitoring and reporting security incidents, and the procedures for responding to incidents. It is important to ensure that all security controls are properly configured and monitored, and that all processes and procedures are in place and followed.

In order to prepare for RFFR ISMS certification, it is important to ensure that all three of these milestones are met. This includes having the necessary documentation and processes in place, implementing the ISMS correctly, and ensuring that all security controls are properly configured and monitored. Additionally, organizations should ensure that they have a comprehensive security plan in place that outlines the organization’s security objectives and the steps that will be taken to achieve them. Finally, it is important to ensure that all processes and procedures are in place and followed. By following these steps, organizations can ensure that they are properly prepared for RFFR ISMS certification.

What are the requirements to maintain the accreditation?

Maintaining accreditation is a critical aspect of complying with regulatory frameworks and ensuring the ongoing security and privacy of sensitive information. In the case of the Right Fit for Risk (RFFR) framework, maintaining accreditation requires Providers and their Subcontractors to meet certain ongoing requirements.

Here are some of the key requirements for maintaining RFFR accreditation:

  1. Annual Reporting: Accredited Providers and their Subcontractors are required to complete an annual report, which must be submitted to the Department. This report includes an attestation of compliance, which certifies that the organization is complying with the RFFR requirements. The report also includes evidence of the implementation of security controls and processes, such as policies, procedures, and security incident management processes.

  2. Surveillance Audits: In addition to annual reporting, Providers and their Subcontractors are also subject to regular surveillance audits. These audits are conducted by the Department to ensure that the organization is still complying with the RFFR requirements. The surveillance audit is an opportunity for the Department to review evidence of compliance, validate that security controls and processes are being implemented effectively, and identify any gaps or deficiencies that need to be addressed.

  3. Three-Yearly Audits: Providers and their Subcontractors are required to undergo a full reaccreditation audit every three years. This audit is more comprehensive than the annual reporting and surveillance audits and requires the organization to demonstrate full compliance with the RFFR standards. The audit includes a review of policies, procedures, and controls, as well as interviews with staff and stakeholders to validate that the organization is meeting the RFFR requirements.

  4. Prompt Notification: Accredited Providers and their Subcontractors are also required to promptly notify the Department of any changes that may affect their accreditation status. This includes changes to the organization's structure, changes to security controls, and any security incidents that may have occurred. The Department will assess the impact of these changes and determine if any action is required to maintain the accreditation status.

  5. Compliance Monitoring: The Department may also conduct compliance monitoring activities, such as reviews or assessments, to ensure that accredited Providers and their Subcontractors are continuing to comply with the RFFR requirements. These activities may be triggered by incidents or changes within the organization, or they may be conducted as part of the Department's ongoing compliance monitoring program.

In summary, maintaining RFFR accreditation requires ongoing effort and commitment from Providers and their Subcontractors. It involves regular reporting, surveillance audits, and three-yearly audits to ensure compliance with the RFFR standards. By meeting these requirements, organizations can demonstrate their ongoing commitment to information security and privacy, and their ability to protect sensitive information from unauthorized access, use, or disclosure.

What are the categories for providers and subcontractors under RFFR?

The Right Fit For Risk (RFFR) framework is an Australian government initiative aimed at ensuring that providers and subcontractors of employment and related services have adequate systems and processes to manage risks to data security, confidentiality, and privacy. To achieve this objective, the framework classifies providers and subcontractors into categories, with each category having unique requirements for accreditation. In this article, we will delve into the two categories for providers and subcontractors under the RFFR framework.

Category One

Category One providers and subcontractors deliver services to 2,000 or more individuals per annum across all their deeds. In addition, third-party employment and skills (TPES) system vendors seeking accreditation also fall under this category. Category One providers have a greater responsibility to ensure that their systems and processes adequately manage data security, confidentiality, and privacy risks. To obtain accreditation, Category One providers and subcontractors must meet the following requirements:

  1. Completion of an independent assessment

    Category One providers and subcontractors are required to undergo an independent assessment by an accredited auditor. The auditor will verify that the provider's ICT systems, policies, and processes meet the requirements of the RFFR framework. The assessment will be tailored to the provider's specific circumstances and will take into account the risks associated with the services they offer.

  2. Development of an Information Security Management System (ISMS)

    Category One providers and subcontractors must develop and implement an ISMS that is consistent with the requirements of ISO 27001. The ISMS should provide a systematic approach to managing business information, ensuring it remains secure and available to staff when needed. The system should apply a risk management process to information security, securing people, premises, IT systems, and information.

  3. Ongoing compliance reporting

    Category One providers and subcontractors are required to submit an annual compliance report to the Department of Employment, Skills, Small and Family Business. The report should detail how the provider has maintained compliance with the RFFR framework, including any changes or updates to their systems and processes.

Category Two

Category Two providers and subcontractors deliver services to fewer than 2,000 individuals per annum across all their deeds. The accreditation process for Category Two providers is less rigorous than that of Category One providers. To obtain accreditation, Category Two providers and subcontractors must meet the following requirements:

  1. Completion of a self-assessment

    Category Two providers and subcontractors are required to complete a self-assessment that verifies that their ICT systems, policies, and processes meet the requirements of the RFFR framework.

  2. Ongoing compliance reporting

    Category Two providers and subcontractors are required to submit an annual compliance report to the Department of Employment, Skills, Small and Family Business. The report should detail how the provider has maintained compliance with the RFFR framework, including any changes or updates to their systems and processes.

The RFFR framework classifies providers and subcontractors of employment and related services into two categories: Category One and Category Two. The accreditation process for each category is tailored to the number of individuals served by the provider or subcontractor. Category One providers and subcontractors delivering services to 2,000 or more individuals per annum across all their deeds are subject to a more rigorous accreditation process than Category Two providers. Ultimately, the objective of the RFFR framework is to ensure that providers and subcontractors of employment and related services have adequate systems and processes to manage risks to data security, confidentiality, and privacy.

What are the core expectations under the RFFR approach?

The Right Fit for Risk (RFFR) approach is a framework designed to assist Providers and Subcontractors in implementing security controls that are appropriate for the risks associated with the services they provide. The framework consists of a set of core expectations that must be implemented to maintain and enhance their security posture. These core expectations include:

  1. Information Security Management System (ISMS)

    Providers are required to implement an ISMS that is consistent with the requirements of ISO 27001. The ISMS must be comprehensive, and it must provide a systematic approach to managing business information to ensure it remains secure and available.

  2. Risk Management

    Providers must conduct risk assessments on an ongoing basis to identify and mitigate risks to the security of the services they provide. This includes identifying threats, vulnerabilities, and risks associated with the confidentiality, integrity, and availability of the information they process. 

  3. Access Controls

    Providers must implement access controls to ensure that only authorized personnel have access to sensitive information. This includes access controls for physical and logical access, and controls to prevent unauthorized access, disclosure, and modification of sensitive information.

  4. Incident Management

    Providers must have a process for responding to security incidents. The process should include a defined set of procedures for identifying, containing, and resolving security incidents, as well as a process for reporting incidents to relevant parties.

  5. Business Continuity

    Providers must have a business continuity plan in place to ensure that they can continue to deliver services in the event of an interruption. The plan should include procedures for backup and recovery of data, as well as a process for testing the plan on a regular basis.

  6. Compliance

    Providers must comply with all relevant laws, regulations, and industry standards. This includes standards such as ISO 27001, the Privacy Act, and other relevant legislation.

  7. Subcontractor Management

    Providers must manage the security of their subcontractors. This includes ensuring that subcontractors meet the same security requirements as the Provider, and that they are subject to ongoing monitoring and assessment.

  8. Third-Party Vendor Management

    Providers must have a process for managing the security of third-party vendors. This includes ensuring that third-party vendors meet the same security requirements as the Provider, and that they are subject to ongoing monitoring and assessment.
    💡 Explore our solution for third party vendor management

  9. Training and Awareness

    Providers must provide training and awareness programs to their staff to ensure that they are aware of their security responsibilities and are able to comply with the Provider's security policies and procedures.

In summary, the core expectations under the RFFR approach are designed to ensure that Providers and Subcontractors have a comprehensive and effective information security program in place. By implementing these expectations, Providers can effectively manage their security risks and meet the security requirements of the Department.

Enhancing Operational Resilience

Operational resilience management is a critical component of organizational success in an increasingly complex business environment. The ability to withstand disruptions and swiftly recover while ensuring uninterrupted service delivery is paramount. Organizations can leverage advanced operational resilience software solutions, such as 6clicks GRC AI Software, to enhance their resilience efforts.

Operational resilience management involves a proactive approach to identify and address potential risks and vulnerabilities. By utilizing the functionalities of 6clicks technology, organizations can build adaptive capabilities and develop robust strategies to enhance operational resilience.

Key components of operational resilience management include:
  1. Risk Assessment: 6clicks GRC AI Software enables organizations to conduct comprehensive risk assessments. The platform utilizes AI-powered algorithms and advanced analytics to identify and evaluate potential risks, allowing organizations to prioritize their resilience efforts effectively.

  2. Compliance Management: Maintaining regulatory compliance is crucial for operational resilience. 6clicks offers a centralized platform to streamline compliance management processes. It facilitates automated compliance assessments, real-time tracking of compliance status, and customizable workflows to ensure adherence to regulatory obligations.

  3. Business Continuity Planning: 6clicks GRC AI Software supports the development of robust business continuity plans. The platform helps organizations create incident response strategies, conduct impact assessments, and identify alternate processes to ensure seamless service delivery during disruptions.

  4. Incident Response: Swift and effective incident response is essential for operational resilience. 6clicks technology enables organizations to establish incident management workflows, ensuring a coordinated response to disruptions. The platform facilitates communication, collaboration, and documentation sharing among cross-functional teams.

  5. Cybersecurity Resilience: Cyber threats pose significant risks to operational resilience. 6clicks GRC AI Software empowers organizations to enhance their cybersecurity resilience. The platform enables proactive cybersecurity risk assessments, implementation of security controls, and continuous monitoring of cyber threats.

  6. Monitoring and Reporting: Real-time monitoring and reporting capabilities provided by 6clicks technology allow organizations to track the performance of their resilience initiatives. Customizable reports and visualizations offer valuable insights to optimize operational resilience strategies.


Fortifying Business Resilience with 6clicks

6clicks technology plays a pivotal role in enhancing operational resilience within organizations. The platform offers a range of functionalities and capabilities that support different aspects of operational resilience management. Here are some key ways in which 6clicks technology contributes to operational resilience:

  1. Comprehensive Risk Assessment: 6clicks provides advanced risk assessment capabilities, allowing organizations to identify and evaluate potential risks that could impact their operations. The platform employs AI-powered algorithms and analytics to assess risk factors and provide insights into the likelihood and potential impact of various risks. This helps organizations prioritize their resilience efforts and allocate resources effectively.

  2. Compliance Management: Maintaining regulatory compliance is a critical aspect of operational resilience. 6clicks offers features that enable organizations to centralize and streamline compliance management processes. The platform facilitates automated compliance assessments, tracks compliance status in real-time, and provides customizable workflows to ensure adherence to regulatory obligations. This helps organizations stay compliant and reduces the risk of compliance-related disruptions.

  3. Incident Response and Business Continuity: During disruptions, swift and effective incident response and business continuity planning are vital for minimizing the impact on operations. 6clicks technology allows organizations to develop comprehensive incident response plans and business continuity strategies. The platform supports the creation of incident management workflows, impact assessments, and the identification of alternate processes to ensure seamless service delivery even in adverse circumstances.

  4. Cybersecurity Resilience: Cyber threats pose a significant risk to operational resilience. 6clicks technology assists organizations in bolstering their cybersecurity resilience. The platform offers features for conducting proactive cybersecurity risk assessments, implementing security controls, and continuously monitoring cyber threats. By integrating cybersecurity practices into operational resilience strategies, organizations can enhance their ability to protect critical data and systems from cyber-attacks.

  5. Collaboration and Communication: Effective collaboration and communication are essential for maintaining operational resilience. 6clicks provides a collaborative platform that enables cross-functional teams to work together seamlessly. It facilitates the sharing of information, updates, and documentation related to resilience efforts, ensuring that all stakeholders are informed and aligned in their response to disruptions.

  6. Real-time Monitoring and Reporting: Monitoring the effectiveness of operational resilience measures is crucial for continuous improvement. 6clicks technology offers real-time monitoring and reporting capabilities that provide organizations with insights into the performance of their resilience initiatives. The platform generates customizable reports and visualizations, enabling organizations to track key resilience metrics and make data-driven decisions to optimize their resilience strategies.

By leveraging 6clicks technology, organizations can strengthen their operational resilience by effectively managing risks, ensuring regulatory compliance, implementing robust incident response and business continuity plans, enhancing cybersecurity resilience, promoting collaboration, and continuously monitoring and improving their resilience efforts. The comprehensive functionalities of 6clicks technology empower organizations to navigate disruptions successfully and maintain their operational integrity.