What is the Victorian Protective Data Security Framework (VPDSF)?
The Victorian Protective Data Security Framework (VPDSF) was established under Part 4 of the Privacy and Data Protection Act of 2014 and took effect on 1 July 2016. This framework, created by the Office of the Victorian Information Commissioner, provides information to Victorian organisations operating in the public sector about requirements that are specific to this sector. There are 3 components to the framework, including the Victorian Protective Data Security Standards (VPDSS), the Assurance Model, and supplementary security guides and supporting resources.
This framework was developed as a means to help public sector organisations improve their data security practices and policies, manage risk and promote innovation that can lead to increased productivity. On a very broad scale, the VPDSF emphasises a cultural change that moves information security from being an autonomous activity to one that is incorporated in every aspect of the organisation’s operations. It builds in security measures related to the people, the buildings, the systems and the processes of the organisation.
The VPDSF also includes a 5-step action plan for implementation that requires the following:
- Identification of your information assets.
- Determination on the ‘value’ of this information.
- Identification of any risks to the information.
- Application of security measures to protect the information.
- Management of risks across the information lifecycle.
In addition to the 5-steps, there are activities that must be conducted throughout the process to ensure that the steps are completed thoroughly and rigorously. These steps include:
- The completion of a detailed Security Risk Profile Assessment (SRPA).
- The completion of a VPDSF self-assessment.
- The development of a Protective Data Security Plan (PDSP).
- A mandatory review of the PDSP every 2 years, or sooner if there is a significant change to the organisation.
OVIC oversees the compliance and monitoring activities related to the VPDSS, which may include audits.
What are the Victorian Protective Data Security Standards (VPDSS)?
The Victorian Protective Data Security Standards, or VPDSS, were created as a tool that would outline the path to a consistent application of security measures across the information network for the Victorian public sector. The VPDSS consists of 18 high-level mandatory standards, each with 4 protocols that work to protect data across 4 domains – information, personnel, ICT and physical security.
- Security Governance (12 standards) – Executive sponsorship of and investment in security management, utilising a risk based approach
- Information Security (Three standards) – Protection of information, regardless of media or format (hard and soft copy material), across the information lifecycle from when it is created to when it is disposed.
- Personnel Security (One standard) – Engagement and employment of eligible and suitable people to access information
- ICT Security (One standard) – Secure communications and technology systems processing or storing information
- Physical Security (One standard) – Secure physical environment (eg. facilities, equipment and services) and the application of physical security measures to protect information
The Assurance Model
In the efforts to monitor and measure the efficacy of the protective security measures found in the VPDSF, OVIC has designed with Assurance Model to outline the activities that their agency will engage in while overseeing the data practices across the public sector.
The Assurance Model is comprised of four parts:
- Security Planning that addresses the activities that assess risk and the development of an action plan.
- An Organisational Compliance approach that supports the continuous improvement mandate of the BPDSS.
- The Risk-Based Assurance approach used by OVIC to assess the effectiveness of the VPDSF across the public sector.
- The Assurance Reporting obligations for OVIC.
The 6-Point Approach to Comprehensive Cyber Security
Navigating the requirements of the VPDSF is no easy task. However, Int Tec Solutions embraces a cyber security strategy that permeates the entire cyber landscape of an organisation and actively involves personnel in establishing and maintaining the highest level of security possible. While these activities can benefit organisations in any sector, they can be especially valuable for those in the public sector as they provide the assurances necessary in meeting the requirements of the VPDSF.
Beyond the VPDSF
Achieving the goals laid forth by the VPDSF can be intimidating for any sized organisation, which is why the professionals at Int Tec Solutions can assist with every component to ensure full compliance is achieved. This service can begin during the planning process with the Risk Profile Assessment and carry through the entire process, during which only reporting and mandatory reviews are required. Despite the low level of requirements that are formally dictated by the VPDSF once the Protective Data Security Plan has been adopted, Int Tec Solutions will continue to be a proactive party that seeks out new vulnerabilities in a rapidly changing data landscape and working to ensure that these threats are properly accounted for.