Government Compliance Framework

Introduction

Quirk Consulting is committed to delivering modern work management and enterprise tooling solutions that meet the highest standards of security, governance, and regulatory compliance required by Australian Government agencies. Our comprehensive compliance framework ensures that organisations can turn chaos into clarity whilst maintaining full adherence to government standards, guidelines, policies, principles, and frameworks.

This Government Compliance Framework should be read in conjunction with our Privacy Policy, Security Practices, and Service Level Agreement.

Physical Security

Facility Security Controls

Quirk Consulting's operations are designed to meet government physical security requirements:

Data Centre Security:

All data processing occurs within Atlassian and monday.com certified cloud environments that maintain:
- 24/7 physical security monitoring
- Multi-layered access controls with biometric authentication
- Environmental controls (fire suppression, climate control, power redundancy)
- Security personnel and perimeter controls
- ISO 27001 and SOC 2 Type II certified infrastructure (via our cloud providers)

Office Security:

Secure office environments with controlled access systems
Visitor management and escort procedures
Clean desk policies and secure storage for sensitive materials
Physical security assessments conducted annually

Equipment Management:

Asset management procedures for all IT equipment
Secure disposal and data destruction protocols
Hardware encryption on all mobile devices
Remote wipe capabilities for lost or stolen devices

Personnel Security

Security Clearance and Vetting

Quirk Consulting maintains comprehensive personnel security procedures:

Background Checks:

All staff undergo Australian Federal Police (AFP) background checks
Reference verification and employment history validation
Identity verification using 100-point identification system
Ongoing monitoring for personnel in sensitive roles

Security Clearances:

Key personnel can obtain appropriate government security clearances as required
Baseline security clearance capability for government project staff
Negative Vetting Level 1 (NV1) capability available for sensitive projects
Established procedures for clearance applications and maintenance

Training and Awareness:

Mandatory security awareness training for all staff
Government-specific security briefings for project teams
Annual refresher training and competency assessments
Incident reporting and response training

Access Management:

Role-based access controls aligned with principle of least privilege
Regular access reviews and de-provisioning procedures
Segregation of duties for critical functions
Non-disclosure agreements and code of conduct requirements

Information Security Manual (ISM) Compliance

Quirk Consulting's practices align with the Australian Government Information Security Manual (ISM):

Security Framework:

Implementation of security controls aligned with ISM requirements
Regular security assessments and vulnerability testing
Practices designed to support PROTECTED classification requirements
Security control implementation based on comprehensive risk assessment

ACSC Essential Eight Implementation

Quirk Consulting has implemented security practices aligned with the Australian Cyber Security Centre (ACSC) Essential Eight strategies:

Implementation Approach:

Application Control: Approved application execution policies and monitoring procedures
Patch Applications: Commitment to 48-hour critical security update deployment
Configure Microsoft Office Macro Settings: Macro execution restrictions and monitoring practices
User Application Hardening: Browser and application security configuration standards
Restrict Administrative Privileges: Privileged access management procedures and monitoring
Patch Operating Systems: Automated patching procedures targeting 48 hours for critical updates
Multi-Factor Authentication: MFA implementation across all system access points
Regular Backups: Automated, encrypted, and regularly tested backup procedures

Advanced Security Practices:

Endpoint detection and response (EDR) implementation planning
Security information and event management (SIEM) practices
Comprehensive vulnerability management and assessment procedures
Structured incident response and recovery procedures
Business continuity and disaster recovery planning frameworks

Protective Security Policy Framework (PSPF) Alignment

Our security governance aligns with the four core security outcomes of the PSPF:

Governance: Clear security roles, responsibilities, and accountability
Information: Appropriate classification and handling procedures
Personnel: Comprehensive vetting and ongoing suitability assessments
Physical: Secure facilities and protective measures

Information Management

Information Governance Framework

Quirk Consulting maintains comprehensive information management practices:

Information Classification:

Government information classification scheme implementation
Automated classification and labelling systems
Handling requirements for OFFICIAL, PROTECTED, and higher classifications
Clear marking, storage, and transmission procedures

Records Management:

Compliance with National Archives of Australia (NAA) standards
Digital recordkeeping systems with appropriate metadata
Retention and disposal schedules aligned with government requirements
Information lifecycle management procedures

Information Sharing:

Secure information sharing protocols
Third-party information handling agreements
Cross-border data transfer controls
Information disclosure and freedom of information procedures

Privacy Compliance

Australian Privacy Principles (APPs) Implementation

Comprehensive privacy framework addressing all 13 Australian Privacy Principles:

Collection and Use:

Lawful and fair collection practices
Clear purpose limitation and use restrictions
Consent management and withdrawal procedures
Direct collection requirements and exceptions

Disclosure and Security:

Strict data sharing limitations and controls
Overseas disclosure protections and safeguards
Technical and organisational security measures
Data breach notification and response procedures

Access and Correction:

Individual access rights and request procedures
Data correction and update mechanisms
Complaint handling and resolution processes
Privacy impact assessment requirements

Reference: Full details available in our Privacy Policy (www.quirk.com.au/trust-centre/privacy-policy)

Data Management

Data Quality and Governance

Quirk Consulting maintains comprehensive data management practices:

Data Quality Framework:

Data accuracy, completeness, and consistency standards
Regular data quality assessments and improvement programs
Data validation and verification procedures
Master data management and reference data controls

Data Lifecycle Management:

Data creation, maintenance, and retirement procedures
Automated data retention and disposal schedules
Data archiving and long-term preservation
Data migration and transformation controls

Data Protection:

Encryption at rest and in transit using AES-256 standards
Access controls and data loss prevention (DLP) systems
Backup and recovery procedures with regular testing
Data residency controls ensuring Australian storage

Digital Servicing Standards

Government Digital Service Standards Compliance

Quirk Consulting's solutions comply with Australian Government Digital Service Standards:

User-Centred Design:

User research and testing methodologies
Accessibility compliance with WCAG 2.1 AA standards
Inclusive design principles and practices
Continuous user feedback and improvement processes

Digital Service Delivery:

Multi-channel service delivery capabilities
Mobile-first responsive design principles
Performance optimisation and monitoring
Service availability and uptime commitments (99.5% minimum)

Technology Standards:

Open standards and interoperability requirements
API-first architecture and integration capabilities
Cloud-first deployment and hosting strategies
Sustainable technology practices and green IT initiatives

Web Content Accessibility Guidelines (WCAG) 2.1 AA

Accessibility framework ensuring inclusive digital services:

Screen reader compatibility and keyboard navigation support
Alternative text for images and multimedia content
Colour contrast ratios and visual design accessibility considerations
Accessibility testing and validation procedures

Change Management

Configuration and Change Control

Quirk Consulting maintains rigorous change management procedures:

Change Control Board:

Formal change approval processes and governance
Risk assessment and impact analysis procedures
Change categorisation and prioritisation frameworks
Emergency change procedures for critical security updates

Release Management:

Staged deployment procedures with rollback capabilities
Comprehensive testing in non-production environments
User acceptance testing and validation procedures
Post-implementation review and lessons learned processes

Patch Management:

Automated vulnerability scanning and assessment
Risk-based patch prioritisation and deployment
48-hour deployment target for critical security patches
Patch testing and validation procedures

Version Control:

Centralised code repositories with access controls
Branching strategies and code review procedures
Automated build and deployment pipelines
Configuration management and environment controls

Audit Logging and Monitoring

Comprehensive Audit Framework

Quirk Consulting maintains extensive audit logging capabilities:

Audit Log Requirements:

Comprehensive logging of all system access and activities
User authentication and authorisation events
Data access, modification, and deletion activities
Administrative actions and configuration changes
Security events and incident detection activities

Log Management:

Centralised log collection and analysis systems
Real-time monitoring and alerting capabilities
Log retention periods aligned with government requirements (minimum 7 years)
Tamper-evident log storage and protection measures
Regular log review and analysis procedures

Compliance Monitoring:

Automated compliance checking and reporting
Regular internal and external audit procedures
Security control testing and validation
Compliance dashboard and metrics reporting
Corrective action tracking and resolution

Security Monitoring

24/7 security operations centre (SOC) monitoring
Advanced threat detection and response capabilities
Behavioural analytics and anomaly detection
Incident escalation and notification procedures
Forensic investigation and evidence preservation capabilities

Business Continuity and Incident Response

Business Continuity Management

Comprehensive business continuity framework ensuring service resilience:

Business Impact Analysis:

Critical business function identification
Recovery time and point objectives (RTO/RPO)
Dependency mapping and single points of failure analysis
Regular business continuity testing and exercises

Disaster Recovery:

Multi-site backup and recovery capabilities
Automated failover and recovery procedures
Regular disaster recovery testing and validation
Communication and stakeholder notification procedures

Incident Response Framework

Structured incident response procedures ensuring rapid resolution:

Incident Classification:

Security incident categorisation and severity levels
Escalation procedures and response timelines
Stakeholder notification and communication procedures
Regulatory reporting requirements and timelines

Response Procedures:

24/7 incident response capability
Forensic investigation and evidence preservation
Containment, eradication, and recovery procedures
Post-incident review and improvement processes

Compliance Monitoring and Reporting

Continuous Compliance Management

Quirk Consulting maintains ongoing compliance monitoring:

Regular Assessments:

Annual compliance audits and assessments
Quarterly security control testing
Monthly vulnerability assessments
Continuous monitoring and alerting systems

Compliance Reporting:

Regular compliance status reporting to stakeholders
Government reporting requirements and timelines
Compliance metrics and key performance indicators
Corrective action tracking and resolution reporting

Third-Party Validation:

Commitment to independent security assessments and penetration testing
External compliance audit capabilities and preparation procedures
Vendor risk assessment and due diligence procedures
Regular review of cloud provider compliance and certification status

Governance and Accountability

Security Governance Framework

Clear governance structure ensuring accountability and oversight:

Roles and Responsibilities:

Chief Information Security Officer (CISO) accountability
Security committee governance and oversight
Clear security roles and responsibilities matrix
Regular security performance reporting and review

Policy Management:

Regular policy review and update procedures
Security policy exception and waiver processes
Training and awareness program management
Compliance monitoring and enforcement procedures

Contact Information

For questions regarding this Government Compliance Framework or to request additional compliance documentation, please contact:

Quirk Consulting Security Team

Email: hello@quirk.com.au
Phone: (03) 9301 7432
Address: 34 Rangeview Drive, Riddells Creek, Victoria, Australia 3431

Document Control

Version: 1.0
Last Updated: 17/06/2025
Review Date: 01/06/2026
Owner: Chief Information Security Officer