This paper provides an overview of the Victorian Protective Data Security Framework and its role in protecting information held by Victorian government agencies, as well as a background of the global and domestic development of public sector information security guidance and standards.
Cyber crime is a rapidly evolving global threat to information and data security, and is estimated to cost the Australian economy around $1 billion each year. According to the federal government’s Cyber Security Strategy, threat actors target Australian government networks on an almost daily basis, compromising system security, service delivery and information access.
As the cyber threat environment evolves and becomes more sophisticated, it is critical to monitor and develop information security systems and capabilities to protect the privacy of individuals and their personal information, particularly in regard to sensitive data held by government agencies. Such agencies rely on this data to provide frontline operations and services, and it is therefore central to their effective operation that data integrity is maintained.
The Victorian Protective Data Security Framework (VPDSF) was released on 28 June 2016, taking effect from 1 July 2016. The VPDSF sets out its objectives as being to assist Victorian public service departments and agencies to ‘identify information and determine ownership, assess the value of information, identify and manage protective data security risks, apply security measures, create a positive security culture and mature their protective data security capability’.
The VPDSF defines protective data security as ‘the practice of implementing security measures to protect Victorian government information’. It aims to maintain the privacy of individuals without creating unnecessary barriers to the use and distribution of personal information within and between government agencies. While all Australian jurisdictions have some form of information security policy in place that governs public sector use of data, Victoria is the first state or territory to introduce an assurance model to complement its mandatory security standards.
The assurance model sets out certain compliance and assurance activities that public service organisations are required to undertake in order to assess their ongoing protective data security development in line with the VPDSF.
Each government organisation is required to develop, implement and maintain a Security Risk Profile Assessment and a Protective Data Security Plan. Organisations must then submit these plans to the Office of the Victorian Information Commissioner (OVIC) within two years after the issue of the Victorian Protective Data Security Standards (VPDSS), and review the documents every subsequent two years, or whenever there is a significant change to their operating or security environment
In addition, organisations must report annually to the OVIC on their implementation of, and compliance with, the VPDSF, and also perform a maturity assessment in line with standard 12 of the VPDSS.