victorian protective data security framework … · v1.0 3 assurance collection victorian...

VICTORIAN PROTECTIVE DATA SECURITY FRAMEWORK (VPDSF)

ASSURANCE COLLECTION

2 V1.0

Assurance Collection

This page is intentionally left blank.

3V1.0


VICTORIAN PROTECTIVE DATA SECURITY FRAMEWORK (VPDSF)

ASSURANCE COLLECTION

4 V1.0


Published by the Commissioner for Privacy and Data Protection PO Box 24014 Melbourne Victoria 3001

First published July 2017

Also published on: http://www.cpdp.vic.gov.au

ISBN 978-0-6480788-7-6

5V1.0


ASSURANCE COLLECTION DOCUMENT DETAILS

Security Classification Unclassified

Dissemination Limiting Marker

N/A

Release Date July 2017

Review Date July 2018

Document Status Final

Document Version V1.0

Authority Office of the Commissioner for Privacy and Data Protection (CPDP)

Author Data Protection Branch – CPDP

For further information, please contact the Data Protection Branch on [email protected]

CPDP would like to acknowledge the Capability Maturity Model used in this guide is adopted from the New Zealand Protective Security Requirements (PSR) protective security capability maturity model https://protectivesecurity.govt.nz/assets/Uploads/Protective-Security-Capability-Maturity-Model.pdf

VPDSF Assurance Collection Document Details

mailto:[email protected]

https://protectivesecurity.govt.nz/assets/Uploads/Protective-Security-Capability-Maturity-Model.pdf

6 V1.0



7V1.0


Contents

Introduction ........................................................................................................................................9

1. Background ....................................................................................................................................9

2. Purpose of the collection ............................................................................................................9

3. Scope ..............................................................................................................................................10

4. Audience ........................................................................................................................................12

5. Use of terms and examples in this collection ........................................................................12

6. Assumptions ..................................................................................................................................12

Chapter 1 – Protective Data Security Risk Profile Assessment ...............................................13

7. Security Risk Profile Assessment overview .............................................................................13

8. Consultation ..................................................................................................................................13

9. Establishing the context .............................................................................................................14

10. SRPA development process .......................................................................................................16

11. Ongoing maintenance of the SRPA ..........................................................................................27

Chapter 1 – Appendices – Protective Data Security Risk Profile Assessment ...................... 28

Chapter 1 – Appendix A – Example Security Risk Profile Assessment Template .......... 28

Chapter 1 – Appendix B – Summary of SRPA actions......................................................... 29

Chapter 2 – Measuring and reporting implementation of the VPDSS ................................. 30

12. Overview of self-assessment .................................................................................................... 30

13. Assessing your implementation of the VPDSS .......................................................................31

14. Assessing the maturity level of your applicable elements ...................................................35

15. Supporting resources ................................................................................................................. 38

16. Organisational reporting ............................................................................................................ 38

Chapter 2 – Appendices – Measuring and reporting implementation of the VPDSS ......... 40

Chapter 2 – Appendix A – VPDSS self-assessment template ........................................... 40

Chapter 2 – Appendix B – Summary of VPDSS self-assessment actions ........................41

Chapter 3 – Protective Data Security Plan ................................................................................ 42

17. Overview of Protective Data Security Plan (PDSP) ............................................................... 42

18. Protective Data Security Plan process .................................................................................... 43

19. Reporting your Protective Data Security Plan ....................................................................... 46

Chapter 3 – Appendices – Protective Data Security Plan ......................................................... 48

Chapter 3 – Appendix A – Protective Data Security Plan (PDSP) template.................... 48

Chapter 3 – Appendix B – Summary of PDSP actions ........................................................ 49

8 V1.0



9V1.0


Introduction

1. Background The Commissioner for Privacy and Data Protection (CPDP) issues security guides to support the Victorian Protective Data Security Framework (VPDSF). The VPDSF documents are inter-linked and should not be read in isolation.

The Assurance Collection forms part of a suite of supporting security guides provided in the Resources section of the VPDSF.

37

V1.0

Victorian Protective Data Security Framework

Victorian Protective Data Security Standards

Security Training and Awareness

GOVERNANCE

6

Security Obligations

GOVERNANCE

StandardAn organisation must ensure all persons with access to public sector data undertake security training

and awareness.Statement of Objective

To create and maintain a strong security culture that ensures that all persons understand the importance

of security across the core security domains and their obligations to protect public sector data.

Protocol 6.1There is executive sponsorship of a security training and awareness program,

and it is incorporated in the organisation’s personnel management regime.

Protocol 6.2The security training and awareness program is implemented in the

organisation’s personnel management regime.

Protocol 6.3The security training and awareness program is appropriately monitored and

reviewed in the organisation’s personnel management regime.

Protocol 6.4The security training and awareness program is improved and the

organisation’s personnel management regime is updated to respond to the

evolving security risk environment.

ControlsAn organisation should align its security training and awareness program with the better practice

guide Protective Security Guidelines Agency Personnel Security Responsibilities [Security awareness

training] of the Protective Security Policy Framework (PSPF).

Further consideration should also be given to relevant provisions within ISO/IEC 27002:2013

Information technology -- Security techniques -- Code of practice for information security controls

[During Employment] and NIST Special publication 800-53 [Awareness and Training], Security and

Privacy controls for Federal Information Systems and Organisations.

This material should be referenced when conducting assessments against these standards.

36

V1.0



Security Obligations

GOVERNANCE

5

StandardAn organisation must define, document, communicate and regularly review the security obligations of

all persons with access to public sector data.

Statement of ObjectiveTo ensure all persons with access to public sector data understand their security obligations.

Protocol 5.1There is executive sponsorship of the security obligations of all persons, and

they are incorporated in the organisation’s personnel management regime.

Protocol 5.2Security obligations are embedded into the daily functions and activities of all

persons and reflected in the organisation’s personnel management regime.

Protocol 5.3Security obligations of all persons are appropriately monitored and reviewed

in the organisation’s personnel management regime.

Protocol 5.4Security obligations of all persons are improved and the organisation’s

personnel management regime is updated to respond to the evolving security

risk environment. Controls

An organisation should align its security obligations of all persons with the better practice guide

Protective Security Guidelines Agency Personnel Security Responsibilities and Australian Government

Personnel Security Protocol of the Protective Security Policy Framework (PSPF).


35

V1.0



Information AccessGOVERNANCE

4

Security Policies and ProceduresGOVERNANCE

Standard

An organisation must establish, implement and maintain an access management regime for access to

public sector data.

Statement of ObjectiveTo ensure access to public sector data is authorised and controlled across the core security domains.

Protocol 4.1There is executive sponsorship of security requirements, and they are

incorporated in the organisation’s access management regime.Protocol 4.2Security requirements are implemented in the organisation’s access

management regime.

Protocol 4.3Security requirements are appropriately monitored and reviewed in the

organisation’s access management regime.Protocol 4.4

Security requirements are improved and the organisation’s access

management regime is updated to respond to the evolving security risk

environment.

Controls

An organisation should align its access management regime with ISO/IEC 27002:2013 Information

technology -- Security techniques -- Code of practice for information security controls [Access

control].

Further consideration should also be given to relevant provisions within the National e-Authentication

Framework and NIST Special publication 800-53, Security and Privacy controls for Federal Information

Systems and Organisations.This material should be referenced when conducting assessments against these standards.



Resources

Assurance Model

32

V1.0


1Victorian Protective Data Security

Standards

Security Management Framework

GOVERNANCE

Standard

An organisation must establish, implement and maintain a security management fra

mework

proportionate to their size, resources and risk posture.

Statement of Objective

To ensure security governance arrangements are clearly established, articulated, supported and

promoted across the organisation and to enable the management of security risks to public sector

data.

Protocol 1.1

There is executive sponsorship of the security

management framework, and it

is embedded in the organisation’s governance arrangements.

Protocol 1.2

The security management fra

mework is implemented in the organisation’s

governance arrangements.

Protocol 1.3

The security management fra

mework is appropriately monitored and

reviewed in the organisation’s governance arrangements.

Protocol 1.4

The organisation’s governance arrangements are improved and the security

management framework is updated to respond to the evolving security

risk

environment.

Controls

An organisation should align its security management framework with ISO/IEC 27001: 2013

Information Security Management.


33

V1.0



Security Management Framework

GOVERNANCE

Security Risk Management

GOVERNANCE

2

Standard

An organisation must utilise a risk management framework to manage security risks.


To ensure public sector data is protected through the identification and e�ective management of

security risks across the core security domains.

Protocol 2.1

There is executive sponsorship of security risk management, and it is

incorporated in the organisation’s risk management framework.

Protocol 2.2

Security risks are identified and recorded in the organisation’s risk register.

Protocol 2.3

Security risks are appropriately monitored and reviewed in the organisation’s

risk register.

Protocol 2.4

Security risk management is improved and the organisation’s risk

management framework is updated to respond to the evolving security risk

environment.

Controls

An organisation should align its security risk management practices with the Victorian Government

Risk Management Framework (VGRMF).

Further consideration should also be given to the ISO 31000:2009 Risk Management: Principles and

guidelines and HB 167:2006 Security risk management.


34

V1.0



Security Policies and Procedures

GOVERNANCE3

Standard

An organisation must establish, implement and maintain security policies and procedures

proportionate to their size, resources and risk posture.


To set clear strategic direction for the protection of public sector data.

Protocol 3.1

There is executive sponsorship of security requirements in the organisation’s

policies and procedures.

Protocol 3.2

Security requirements are implemented in the organisation’s policies and

procedures.

Protocol 3.3

Security requirements are appropriately monitored and reviewed in the

organisation’s policies and procedures.

Protocol 3.4

Security requirements are improved and the organisation’s policies and

procedures are updated to respond to the evolving security risk environment.

Controls

An organisation should align its security policies and procedures with the better practice guide

Developing agency protective security policies, plans and procedures of the Protective Security Policy

Framework (PSPF).


2. Purpose of the collection The Assurance Collection is designed to assist your organisation to measure and report its security capability to CPDP. It outlines the VPDSF reporting requirements and provides the requisite templates for your organisation to complete and submit to CPDP. The collection covers:

Chapter 1 Protective Data Security Risk Profile Assessment

This chapter provides you with guidance on security risk management fundamentals to enable your organisation to complete its Security Risk Profile Assessment (SRPA) as required under s89 of the Privacy and Data Protection Act 2014.

10 V1.0


Chapter 2 Measuring and reporting implementation of the Victorian Protective Data Security Standards

This chapter assists your organisation to complete its Victorian Protective Data Security Standards (VPDSS) self-assessment including:

• assessing your implementation of the VPDSS

• assessing the maturity of your protective data security (information security) and setting targets

• enabling your public sector body Head to undertake their annual security attestation

• reporting your level of security capability to CPDP

Chapter 3 Protective Data Security Plan (PDSP)

This chapter provides you with guidance on how to complete your organisation’s Protective Data Security Plan (PDSP) as required under s89 of the Privacy and Data Protection Act 2014.

3. ScopeThe Assurance Collection supports organisation’s VPDSF reporting obligations under Part 4 of the Privacy and Data Protection Act (2014). It also builds on existing instructions set out under Part 5 of the VPDSF Assurance Model.

The Assurance model seeks to ensure that the security capability and maturity levels in the Victorian public sector are as reported by organisations. CPDP will in turn incorporate organisations security capability and maturity in its reporting back to government.

The activities set out in this Collection seek to help your organisation to identify, analyse and evaluate its security risks more effectively, and then manage these through the use of your existing risk management frameworks or by referencing established risk management material:

• International Standards ISO/IEC 31000:2009 Risk Management – Principles and guidelines

• AS/NZS ISO/IEC 27005:2011 Information technology — Security techniques — Information security risk management

• Australian Standards handbook HB 167:2006 Security Risk Management, and the

• Victorian Government Risk Management Framework (VGRMF)

To help your organisation implement a risk-based approach, CPDP advocates the use of the VPDSF Five Step Action Plan.

11V1.0


Five Step Action Plan

01 02 03 04 05

Identifyyour

information assets

For guidance refer to Chapter 1 of the VPDSF

Information Security Management Collection

Determine the ‘value’

of this information


Information Security Management Collection

Identify any risks

to this information

For guidance refer to Chapter 1 of the VPDSF Assurance Collection

Apply security measures to protect the information



Manage risks across

the information lifecycle



Diagram 1. VPDSF five step action plan

Organisations should refer to the Information Security Management Collection1 for practical guidance on completing the first two steps of identifying and valuing information.

The Assurance Collection will assist your organisation with steps 3-5 of the VPDSF Five Step Action Plan by identifying risks to its information, applying security measures and managing risks across the information lifecycle. These final steps inform your organisation’s Security Risk Profile Assessment (SRPA), the VPDSS self-assessment and the Protective Data Security Plan (PDSP).

Diagram 2 below highlights the three topics covered in this collection and the nexus and information flow between all three chapters.

Information Asset Protection

Security Risk Profile Assessment (SRPA)Chapter 1

Planning & Implementing

Protective Data Security Plan (PDSP)Chapter 3

Measuring & Reporting

VPDSS Self-AssessmentChapter 2

ComplianceRisk

BAU ImplementationRisk Treatment

Diagram 2. Visual representation of organisational assurance obligations

1 Refer to the VPDSF Resources section on the CPDP website

12 V1.0


Diagram 3 below outlines the reporting timelines for organisations.

Reviewed/UpdatedPDSP Submitted to CPDP

PDSP Submitted to CPDP

Compliance and Maturity Assessment to CPDP



Public Sector Organisation Reporting

Maintenance

BiennialAnnuallyYear 2

VPDSS Issued

Year 1

Develop SRPA and PDSP and Commence Implementation

Diagram 3. Organisation’s reporting timelines

4. AudienceThis collection is intended for Victorian public sector organisations (including employees, contractors and external parties) that are subject to the protective data security provisions under Part Four of the Privacy and Data Protection Act 2014 (PDPA).

5. Use of terms and examples in this collectionPlease refer to the VPDSF Glossary of Protective Data Security Terms for an outline of terms and associated definitions.

The examples used throughout this collection are provided as guidance to further explain specific topic areas.

6. AssumptionsThe activities set out in the collection assume organisations have basic risk management practices in place and these are operating effectively2. Organisations should continue to utilise these practices and refer to this guidance for security risk advice to enable completion of the SRPA and PDSP.

Organisations who have risk practitioners and/or security practitioners will be well placed to drive the actions set out in this collection.

Risk within the context of the VPDSF is focussed on the protection of official information assets. This is often referred to as security risk, information security risk or information risk and is a category of risk to be considered along with other risk categories within an organisational risk management framework.

The way in which your organisation identifies official information assets as the subject of the SRPA is flexible. Official information may be a singular or a grouping. Further guidance on information and information assets can be found in the VPDSF Information Security Management Collection3.

2 Victorian Managed Insurance Agency (VMIA) provides guidance on implementing the Victorian Government Risk Management Framework (VGRMF). Organisations should refer to VMIA for further guidance on risk management principles and practices.


13V1.0


7. Security Risk Profile Assessment overviewThere is a wide range of threats that if given the opportunity to interact with an organisation’s information and supporting systems, would pose risks to an organisation. Organisations that identify and manage their risks will have greater confidence to minimise harm and damage, and recover from impacts faster and in a more cost effective manner than those that do not.

The Victorian Protective Data Security Framework (VPDSF) is built upon the foundation of risk management principles. It is imperative that organisations are aware of the application of those principles to allow for the identification and management of the security risks to Victorian government information.

A Security Risk Profile Assessment (SRPA) can be a powerful tool for identifying and prioritising these risks to provide efficient, effective and economic investment in security measures. It does not need to be overly complicated or time consuming. The outcomes of the SRPA will allow organisations to provide a level of confidence to citizens, businesses and the community as a whole when interacting with government.

As part of the development of your SRPA you should develop risk evaluation and acceptance criteria that aligns to or uses existing risk evaluation processes. Typically this is identified prior to undertaking the SRPA and may need to be revised as part of the risk evaluation process, further information is provided in section 10.3 – Risk evaluation.

This chapter provides a simple-to-use methodology to assist you to undertake a SRPA. The chapter is consistent with the principles detailed in International Standards ISO/IEC 31000:2009 Risk Management – Principles and guidelines and AS/NZS ISO/IEC 27005:2011 Information technology — Security techniques — Information security risk management, Australian Standards handbook HB 167:2006 Security Risk Management, and the Victorian Government Risk Management Framework.

8. ConsultationConsultation across your organisation is important in order to identify all plausible and possible risks to its official information, and the impact these risks have to your organisation. Beginning with the information and supporting system owners, consultation should also extend to stakeholders with an interest in, or influence on these assets. These stakeholders can add valuable input into and an understanding of the criticality of these assets as well as possible threats to them. Stakeholders include internal and external parties.

Formalising the consultation process for larger organisations ensures that it receives senior management support and includes all business areas. This will also allow senior management to set priorities on functions they consider critical.

The consultation process will also allow you to identify the individual risk owners who have knowledge of risks and controls. These would normally be the asset owners, although for critical risks the level of ownership may be escalated to a more senior person in your organisation.

8.1 Consultation with other areas of protective security

There are significant interdependencies between information security risk management security measures and other areas of organisational protective security, such as personnel safety and security,

Chapter 1 – Protective Data Security Risk Profile Assessment

14 V1.0


and physical asset protection e.g. buildings. When undertaking a SRPA you should liaise with the personnel responsible for undertaking risk assessments for other areas of protective security as well as the information stakeholders. This will ensure that the risk management approach established within your organisation and the SRPA work in unison.

It is important to identify any existing or planned implementation of security measures for other areas of protective security that may have a material impact on, or assist in the mitigation of risks to official information. Working with other organisational security risk areas will also allow the use of single security measures that can mitigate multiple risks across the areas.

The practitioners in these other security risk areas will be able to provide specialist advice and assistance throughout the SRPA process by advising on the effectiveness of existing security measures and suitability of proposed new measures to mitigate risks to official information.

Example 1. – Protective security consultation.

An organisation’s human resources unit develop a personnel screening program as part of the recruitment and ongoing human resource management processes. This would be an opportunity to consult with the unit to ensure the planned security measures will help mitigate risks identified in the SRPA e.g. the risks of deliberate unauthorised disclosure of information, fraud, theft of assets and employing unsuitable personnel for roles.

9. Establishing the context An important part of risk management is establishing the context as this provides value to the process. This is where alignment, planning, understanding and preparation occur.

Prior to undertaking any form of risk assessment, you need to understand the context in which the assessment is being undertaken. As information is the ‘currency’ of government, the security of your organisation’s information is likely to directly or indirectly impact everybody within your organisation as well as any external stakeholders.

9.1 Organisational context

Understand your organisation’s core functions and services of the business and the supporting information assets that are critical to meeting its business objectives.

By understanding your organisation’s business you will be able to select security measures that:

• meet any regulatory or operational requirements

• complement or enhance business operations

Recent incidents and security trends, along with results from audits, will also help to identify risks and inform your selection of security measures to best address these risks.

9.2 External context

It is important to have an understanding of the external environment in which your organisation is operating or may be operating in the future. Understanding the risks arising from this environment will influence the selection of security measures to mitigate security risks.

Additionally, most organisations rely on external service providers for some of their information management. Organisations should consider all external information management providers and their specific roles prior to undertaking a SRPA.

15V1.0


Environmental considerations may also impact the risks to your information. These could include natural and manmade environmental considerations, e.g. flood/bushfire, local crime statistics.

9.3 Legislative and regulatory requirements

The Privacy and Data Protection Act (2014) requires organisations to submit their revised Protective Data Security Plan (PDSP) to the Commissioner for Privacy and Data Protection every two years or where there is a significant change in operating environment. The SRPA is integral in identifying risks to official information that need to be managed, therefore the SRPA will also need to be updated at least every two years or where is a significant change. Significant change is discussed further in section 19 of this collection.

In addition, your organisation will have its own legislative and regulatory requirements relating to its official information. Confirm these prior to undertaking a SRPA as they may impact on how the risks to your organisation’s information are managed.

Example 2. – Legislative requirements.

Organisations are required to manage all ‘reasonably practicable’ risks to information impacting the safety of personnel in order to meet their Occupational Health and Safety (OHS) obligations.

Organisations can greatly benefit from identifying complimentary legislation requiring risk management practices prior to undertaking the SRPA.

9.4 SRPA context

Development of the SRPA context should consider any existing organisationally agreed risk management decisions such as potential consequence levels that are required to be treated no matter the likelihood, or any organisationally accepted appetite for risks at certain levels.

You may consider developing a SRPA project plan that addresses the following:

• goals and objectives for information security

• SRPA program/project outline

• SRPA stakeholder identification

• SRPA resourcing, accountabilities and responsibilities (need senior officer or risk committee sign off/acceptance of SRPA)

• constraints on SRPA, e.g. legislative requirements, available funding

• assumptions

• monitoring and review processes

• security breach history

• relationships with other security functions (personnel security, physical security, fraud control, anti-corruption, etc.)

• possible additional security measure identification methodology

16 V1.0


10. SRPA development processThe SRPA process consists of four steps:

• risk identification

• risk analysis

• risk evaluation

• risk treatment

These steps are detailed in Diagram 4. SRPA. It is important that the person undertaking the SRPA consult with all affected stakeholders at each step in the process.

A SRPA template is provided for organisations in Chapter 1 – Appendix A – Example Security Risk Profile Assessment Template. The template will provide the minimum details needed for each information security risk and should be tailored to fit your organisation’s current risk management practices. The SRPA template will also feed into your organisation’s PDSP. The template can be used to record your findings as you step through the stages of the risk assessment.

Alternatively you can tailor the risk register template available on the VMIA website4.

Security Risk Profile Assessment

Risk Identification

Identify causes (threats)

Identify impacts

Identify risks

Identify information assets

Identify events

Evaluate existing controls

Rate business impacts (consequences)

Rate likelihood

Rate risks

Risk treatment options

Risk appetite

Prioritise treatment of risks

Risk Analysis

Review

Consultation

Risk Evaluation

Identify possible security measures

Evaluate security measures

Endorse security measures

Assess residual risk

Risk Treatment

At least every two years or when operating environment changes

Diagram 4. SRPA

10.1 Risk identification

Risk identification prior to implementing security measures enables the efficient, effective and economic investment in protective data security. Organisations should utilise their existing risk identification processes where available.

Identification of risks associated with any implementation gaps in the VPDSS Self-assessment (i.e.

4 Refer to Risk Register Example Template under VMIA Resources https://www.vmia.vic.gov.au/risk/risk-tools/risk-management-guide

https://www.vmia.vic.gov.au/risk/risk-tools/risk-management-guide


17V1.0


VPDSS elements applicable but not implemented), should also be added to the SRPA.

Risk identification defines the ‘risk’ problem and provides insight into ‘uncertainty’ and the possible effect on achieving the objectives. A well-described risk will:

• provide context and meaning of the event, cause and impact for management and oversight

• assist to direct assessments of security measures and treatment planning

• provide meaningful information for reporting and oversight

• reduce over or under investment in unnecessary security measures

• align the uncertainty to the objective

Description of risk is fundamental to the assessment and evaluation of risks and in keeping with the Victorian Government risk management practices. For the purposes of this collection, risk will be described as:

‘The risk of ….event…. caused by .…how…. resulting in ….impact(s)…’.

Your organisation may and can describe risks differently to ensure alignment with your internal risk management framework.

10.1.1 Identifying and valuing information assets

AS/NZS ISO 31000:2009 – Risk management – Principles and guidelines defines risk as:

‘the effect of uncertainty on objectives.’

In the context of conducting a security risk assessment as described in this collection, the objective is for organisations to ensure the confidentiality, integrity and availability of Victorian Government information i.e. ‘information asset protection’.

Prior to undertaking a risk assessment, your organisation will need to identify the information assets that become the focus of the SRPA.

Identification of information assets is Step 1 of the VPDSF five step action plan. Guidance on identifying information assets is contained in Chapter 1 of the Information Security Management Collection5.

Organisations are also required to conduct a value assessment of the information assets to understand the criticality of the information.

Valuing of information assets is Step 2 of the VPDSF five step action plan. Guidance on conducting a value assessment is contained in Chapter 2 of the Information Security Management Collection6.

Given the sheer numbers of information assets that some organisations may have, initially prioritise the security risk assessment process to critical information assets i.e. prioritisation of protecting the most valuable assets.

It is expected that all other information assets (i.e. assessed as non-critical) would still be considered as part of the ongoing VPDSF program of works.

Ensure that the identification of risks not only considers the information assets, but also includes supporting infrastructure assets that the information comes into contact with as it is handled, stored, processed or transmitted. This may include:

• hardcopy file storage e.g. cabinets, drawers and facilities

• ICT systems and hardware

• communications networks



18 V1.0


10.1.2 Identify events

For the purposes of the risk statement, there is only one ‘risk event’. While there may be a number of contributing events as a result of the way in which causes (threats) interact with your organisation’s information, the ‘risk event’ will typically be the most significant event. This one event is likened to a ‘headline’ e.g. how would it be presented if it were to be reported in the press.

Example 3. – Identification of risk events.

A natural weather occurrence may be the initiating cause of ‘data loss’ (risk event) but as a result of the weather occurrence, a lightning strike can damage power lines (event), a plant room can flood (event) and a backup generator can be submerged by water (event). All of these events can contribute to the data loss. The use of the bow tie in the analysis of risk will assist in identifying risk elements.

The introduction of the bow tie analysis is discussed in section 10.1.6 – Introduction and overview of the bow tie analysis method to determine risks.

10.1.3 Identify causes (threats)

The cause of a risk is the initiating factor that occurs to give rise to the risk event, i.e. the threats or sources of risk.

Understanding the composition of causes can be of substantial use in gaining a deeper understanding of the overall threat environment in which you operate. This knowledge can be of benefit in the later stages of a risk assessment process, particularly in establishing the likelihood of risks eventuating, security measures required and prioritising risk treatment.

The causes of risks to official information can come from a variety of areas and may be accidental, deliberate or natural (environmental). Broadly they fall into two categories:

• external – caused by vectors (people, organisations, governments, etc.) outside of the organisation’s control

• internal – caused by actions/failures of people, processes or systems within the organisation

It is helpful to identify all of the causes of risks to your information in each category, including the identification of the root cause i.e. the initiator (what started it all).

An indicative list of potential threats to information are available from AS/NZS ISO/IEC 27005:2012 Information technology — Security techniques — Information security risk management, Annex C.

10.1.4 Identify potential impacts

‘Impacts’ are described as the effects of the event on your organisation’s information assets, if the risk event occurred.

To help your organisation identify potential impacts, refer to the impact categories from the VPDSF BIL table. Use the BIL table categories to describe the resulting impacts to your organisation if there were a compromise of the confidentiality, integrity and availability of its information assets.

10.1.5 Drafting the risk statement

Once you have established the three principal elements of the risk, you now combine them to identify the final risk statement. The process contained in example 4 below provides guidance on the construction of the risk statement using the identified elements.

19V1.0


Example 4. – Risk statement.

Event Deletion of financial records; or

Modification of financial records

Cause (threat) Disgruntled employee misusing resources / unauthorised use / abuse of rights

Impact Loss of integrity and availability of information impacting on service delivery (degradation of business operations)

Risk statement The risk of the deletion or modification of financial records (events) caused by a disgruntled employee (cause) resulting in loss of integrity of the financial records system or unavailability (loss) of information required for the organisation to effectively deliver services (impacts).

As a threat may have multiple potential areas of impact, you could combine these as a single risk as above. However, it may be more beneficial to break them down into separate statements to allow each risk to be treated in its own right (as below).

Example 4 (Cont.)

(i) The risk of the modification of financial records caused by a disgruntled employee resulting in the loss of integrity of the financial records system

(ii) The risk of the deletion of financial records caused by a disgruntled employee resulting in unavailability (loss) of financial information required for the organisation to effectively deliver services.

Chapter 1 – Action 1:

Insert each risk statement in SRPA template as a separate line.

10.1.6 Introduction and overview of the Bowtie method to determine risks

Organisations may gain further assistance to identify the risk elements and links between event, causes (threat) and impacts by undertaking a bowtie analysis of each risk.

20 V1.0


CONSEQUENCE

CONSEQUENCE

CONSEQUENCE

SECURITYMEASURESCAUSES

CAUSES

CAUSES

SECURITYMEASURES

RISKEVENT

C

A

U

S

E

S

I

M

P

A

C

T

PREVENTATIVEMEASURES

CORRECTIVEMEASURES

Reduce likelihoodbefore risk event

Reduce impact after risk event

Diagram 5. Bowtie analysis

The first step in a bowtie analysis is understanding the ‘risk event’ followed by identifying the causes (threats) and impacts. A bowtie analysis will also help you to identify the possible root causes for risks.

The discovery of risk elements using a bowtie analysis gives great insight into selection of security measures that target all the factors contributing to the risk i.e. preventative, detective and corrective security measures.

Example 5. – Bowtie analysis

Consider the ‘deletion of payroll data’ (risk event) in the centre of a bowtie analysis and that it was deleted by a ‘disgruntled employee’ (cause). These risk elements can be used to complete a bowtie analysis and work backwards to identify the cause of the risk event i.e. the circumstances giving rise to the risk event.

An employee could become disgruntled from any of the following causes:

• concern over continued employment due to organisation downsizing

• being overlooked for promotion

• being subject to bullying/harassment in the workplace

• disagreement with the organisation’s policies or practices

• criminal persuasion

• personal concerns such as marriage breakups, financial difficulties, etc.

Knowing these causes will allow an organisation to identify effective security measure(s) in which to treat risks.

21V1.0


10.2 Risk analysis

Risk analysis is the process of determining a rating for the level of each risk, also known as the risk rating.

The analysis process is completed in four stages:

• identification of current controls and their effectiveness

• assessing the business impacts (consequences)

• considering how likely the risk is of occurring

• determining the risk rating (likelihood x impact (consequence))

10.2.1 Identification and effectiveness of existing security measures

The first level of risk analysis conducted during the SRPA process will identify the ‘current risk rating’ i.e. consideration given to how existing security measures are operating to effectively reduce risk.

Identification of security measures currently implemented at this stage of risk analysis is imperative to rating the likelihood of a risk event occurring and the business impacts associated as a result.

Evaluation of the effectiveness of existing security measures should be conducted prior to determining the rating of the business impacts or likelihood.

Evaluation of effectiveness should be supported by audit activities and information that can be tested to confirm the effectiveness of security measures.

Organisations should have their own evaluation of effectiveness approach to guide the process.

Additional advice on evaluating effectiveness of existing security measures is available from the VGRMF Practice Guide7.


Insert existing security measures (for each risk) in SRPA template.

10.2.2 Rating business impacts (consequences)

Rating the impact(s) of a risk event assigns a rating which states the effects of an impact to an organisation. This is one part of a risk rating i.e. likelihood x impact (consequence) = risk.

As discussed in section 6 – Assumptions and section 11.1 – Identifying and valuing information assets, the focus of the SRPA is the protection of information assets. Guidance in this collection recommends assessing the risks to critical information assets in the first instance.

Organisations are required to assign a value to information assets prior to the risk assessment to understand the level of protection required.

In order to assign a value, organisations should use the VPDSF – Business Impact Level (BIL) table found in chapter 2 of the Information Security Management Collection8. Organisations are advised to contextualise the BIL table to suit their own operating environment and further guidance on contextualising these for your organisation is provided in the Information Security Management Collection.9

7 Refer to Practice Guide on the VMIA website https://www.vmia.vic.gov.au/risk/risk-tools/risk-management-guide




22 V1.0


Assigning a value to information assets is equivalent to rating the ‘impact’ (consequence) identified in a risk event. That is, once a risk event has been identified, an organisation is well positioned to understand the impact from a compromise to the information asset, as the assessment has already been conducted as part of the information value assessment.

The VPDSF BIL table can be aligned with your organisation’s consequence ratings table. An ‘indicative only’ mapping is shown in Diagram 6. alignment of VPDSF BIL table and consequence ratings table.

29

V1.0

Info

rmatio

n S

ecurity

Gu

ide

Impact Levels

NEGLIGIBLE LOW–MEDIUM HIGH VERY HIGH EXTREME

Compromise of the information could be expected to cause insignificant harm/damage to government operations, organisations and individuals

Compromise of the information could be expected to cause limited harm/damage government operations, organisations and individuals

Compromise of the information could be expected to cause major harm/damage to government operations, organisations and individuals

Compromise of the information could be expected to cause significant harm/damage to government operations, organisations and individuals

Compromise of the information could be expected to cause serious harm/damage to government operations, organisations and individualsSUB IMPACT CATEGORY

Organisation’s operating budget (impact on public finances)

Resulting in insignificant loss of < 1% of organisation’s annual operating budget

Resulting in limited loss of > 1% – 10% of organisation’s annual operating budget

Resulting in major loss of > 10% – 15% of organisation’s annual operating budget

Resulting in significant loss of > 15% – 20% of organisation’s annual operating budget

Resulting in serious loss of ≥ 20% of organisation’s annual operating budget

CONSEQUENCES

Non-public finances None Resulting in limited financial hardship to an individual or business

Resulting in major financial hardship to an individual or business

Resulting in significant financial hardship to an individual or business

Resulting in serious financial hardship to an individual or businessCONSEQUENCES

0 1 2 3 4

IMPACT CATEGORY ECONOMY AND FINANCE

Appendix B – VPDSF Business Impact Level (BIL) Table

29

V1.0

Info

rmatio

n S

ecurity

Gu

ide

Impact Levels

NEGLIGIBLE LOW–MEDIUM HIGH VERY HIGH EXTREME

Compromise of the information could be expected to cause insignificant harm/damage to government operations, organisations and individuals

Compromise of the information could be expected to cause limited harm/damage government operations, organisations and individuals

Compromise of the information could be expected to cause major harm/damage to government operations, organisations and individuals

Compromise of the information could be expected to cause significant harm/damage to government operations, organisations and individuals

Compromise of the information could be expected to cause serious harm/damage to government operations, organisations and individualsSUB IMPACT CATEGORY

Organisation’s operating budget (impact on public finances)

Resulting in insignificant loss of < 1% of organisation’s annual operating budget

Resulting in limited loss of > 1% – 10% of organisation’s annual operating budget

Resulting in major loss of > 10% – 15% of organisation’s annual operating budget

Resulting in significant loss of > 15% – 20% of organisation’s annual operating budget

Resulting in serious loss of ≥ 20% of organisation’s annual operating budget

CONSEQUENCES

Non-public finances None Resulting in limited financial hardship to an individual or business

Resulting in major financial hardship to an individual or business

Resulting in significant financial hardship to an individual or business

Resulting in serious financial hardship to an individual or businessCONSEQUENCES

0 1 2 3 4

IMPACT CATEGORY ECONOMY AND FINANCE

Appendix B – VPDSF Business Impact Level (BIL) Table

Diagram 6. alignment of VPDSF BIL table and consequence ratings table

The ‘value’ of the information as derived from the BIL table will directly correspond to your consequence ratings table once mapping has occurred i.e. negates the requirement to ‘rate business impacts’ as a stand-alone exercise.

The resulting rating should always be validated as this will provide an automatic protection from over or under valuing information.

By aligning your organisation’s BIL table with the risk consequence ratings, this will not only strengthen the alignment with your internal risk management framework but will ensure the security measures used for the protection of official information are selected in a consistent manner across your organisation and enable alignment with other internal control frameworks your organisation may be required to implement.


Insert current impact rating in SRPA template.

10.2.3 Rating likelihood

The next step is to determine the likelihood of the risk occurring. Primarily this will be achieved by reviewing the cause of the risk. You should use the likelihood ratings in your organisation’s risk management framework.

The effectiveness of any existing security measures in place may directly influence the likelihood of the risk occurring and should be considered when determining the actual likelihood.

23V1.0


When determining likelihood, you should consider both previous occurrences and future considerations, e.g. the intent, motivation or the capability of human or adversarial threats10.

Additional guidance is available in the VGRMF Practice Guide11.

Example 6. – Likelihood

Threat intelligence data indicates that an organisation could expect a malware attack against their firewall almost weekly and therefore attract an ‘almost certain’ rating.

When consideration is given to the organisations existing security measure (e.g. a cloud ‘security as a service’ provider which filters and stops known malware attacks reaching the organisation’s firewall), the likelihood rating can be reduced to ‘unlikely’.


Insert current likelihood rating in SRPA template.

10.2.4 Rating the risk

Once you have identified the business impact and likelihood rating for each risk considering the existing security measures, you now need to allocate an overall current risk rating.

You should use the risk ratings matrix developed in your organisation’s risk management framework. Additional guidance is available in the VGRMF Practice Guide12.


Insert current risk rating in SRPA template.

10.3 Risk evaluation

After you have identified and analysed the risks to your organisation’s official information, you should evaluate which risks are rated at an acceptable level and which need to be prioritised for further action.

The evaluation of risk appetite and prioritisation is a key component in determining the next steps in allocating additional security measures in order to bring the residual risks to levels that are considered acceptable by your organisation.

Good governance of the identified risks becomes increasingly important at this stage and the use of a risk register or template for your SRPA is recommended to track your progress, allocate accountability and encourage a perpetual cycle of monitoring and review.

10 An indicative list of potential threats to information are available from AS/NZS ISO/IEC 27005:2012 Information technology — Security techniques — Information security risk management, Annex C





24 V1.0


10.3.1 Risk treatment options

There are four potential options for treating each risk:

1. accept – if the risk is within the risk appetite for your organisation then ongoing monitoring will be the primary requirement

2. share – parts of the risk can be shared with a third party, although overall ownership of the risk will remain with the information owner i.e. your organisation. While this may reduce financial consequences to an organisation, it is unlikely to reduce other BIL categories

3. reduce – you can attempt to minimise the risk by introducing additional security measures to reduce the impact (consequence) and/or likelihood of the risk

4. avoid – if an activity produces a risk that is higher than your organisation is willing to accept and it cannot be treated by other means, you may cease that activity altogether in order to avoid the risk. However, if the function is mandated by government then this may not be possible

You should determine which option is best for your organisation for each risk after determining your organisation’s risk appetite and priorities.

10.3.2 Risk appetite

Risk appetite is the amount and type of risk that your organisation is willing to take to achieve its objectives. Risk appetite will vary from organisation to organisation, and it influences and guides decision-making. Risk appetite may also vary within your organisation depending on criticality of information/services that may be affected by the risk.

In an ideal world, the acceptable level of risk would be the lowest available rating but due to cost restrictions and other considerations, this may simply not be practical. When you consider what level would be acceptable for each risk, you should take into account what is reasonably practical to achieve.

If the identified risk is within your organisations risk appetite, the risk may be accepted.

The VGRMF Practice Guide13 includes an example risk appetite statement.


Complete risk accepted column in SRPA template.

10.3.3 Prioritisation of risk treatment

To determine with what urgency you should address risks, they must first be prioritised. Risks with the highest risk rating are normally attended to first.

Your organisation may choose to identify a default level above which risks must be attended to more urgently and where increasingly more senior levels of management need to be kept up-to-date on progress. For example, internal standards may state that risks rated as ‘high’ or ‘very high’ must be addressed immediately with the organisation’s most senior person or body notified whereas risks rated at ‘medium’ require action at the local level.



25V1.0


With the risks grouped according to their risk rating, further criteria now need to be considered in order to prioritise them further. Typically, additional considerations may include:

• safety – what are the implications if the risk is not addressed?

• cost – how much will it cost to reduce the risk (and will the benefits outweigh the expenditure)?

• reputation – what is the likely effect on reputation if the risk is not treated?

• legal obligations – is the organisation likely to be unable to meet its legal obligations if the risk is left in its current state?

• occurrence – which risks are more likely to occur?

Example 7. – Prioritisation of risk

An organisation has rated three risks:

• the risk of assault to personnel caused by the disclosure of personal address information resulting in personal serious injury: ‘high’

• the risk of vandalism to critical assets caused by of the disclosure of asset location and security code information resulting in the loss of the availability of the assets until repaired/replaced: ‘high’

• the risk of verbal abuse to call centre staff from customers caused by the failure of the Client Relationship Management system database resulting in personal stress related injuries: ‘medium’

• With risks first prioritised by rating, the call centre risk is therefore ranked third.

• As the organisation considers safety to be its next priority, the assault related risk is therefore ranked first, with the vandalism related risk ranked second.


Complete risk priority column in SRPA template.

10.4 Risk treatment (security measures selection)

For risks outside your risk appetite you need to apply additional security measures in order to reduce risks.

The implementation of the security measures to reduce risk will form the basis of your organisation’s PDSP.

A list of high-level security measures called the VPDSS Elements14 have been derived from the ‘control reference’ material that is listed within the VPDSS.

The VPDSS Elements are a list of high-level outcomes and serve two purposes, to:

• mitigate risks

• be implemented in order to meet the objectives of the VPDSS

Whilst your organisation implements granular controls to treat risks, the corresponding security measures (VPDSS elements) for these controls are selected to report to CPDP. This enables consistent reporting across government for further analysis and reporting.


26 V1.0


10.4.1 Identifying possible security measures

When selecting security measures to mitigate risks, consider the most effective, efficient and economic use of your budget. The grouping of like risks, or risks from similar threats, even when they have different ratings, may allow you to achieve better value for money.

Identify a range of security measures that when used singularly or in combination will allow you to mitigate the risks to an acceptable level. Additionally, when selecting a range of security measures, not all measures should be of a technical nature, and may also relate to processes and people. All measures should be considered.

Security measures should also provide ‘defence-in-depth’ i.e. a number of measures may provide overlapping risk mitigation which can provide some surety if one measure fails.

10.4.2 Evaluating security measures

Prior to selecting any security measures develop outcome-focused selection criteria that clearly define what risk mitigation you are trying to achieve, this may be a reduction in business impact, likelihood or both.

For instance, it may be possible for you to lower the business impact from a risk event by segmenting information into multiple repositories therefore limiting the amount of information that is compromised. This measure would lower the overall impact of a security breach.

However, it is unlikely that the impact resulting from the loss of individual pieces of information within a grouping of information can be lowered other than as a by-product of time or lowering of importance of the business outcome the information supports.

It is more probable that you could select security measures that lower the likelihood of a compromise to your information assets.

Security measures, or groups of measures, that lower the likelihood of compromise of information are ideal, as they will give the greatest overall reduction in residual risk.

In order to ensure that the security measures are fit for purpose the information owners or business areas should be consulted in the development of the selection criteria and ideally form part of the selection team.

10.4.3 Endorsing selection of measures

Seek senior management endorsement for the selected security measures, as they will have initial and ongoing management implications for your organisation.

It may be useful to undertake a cost benefit analysis of the selected security measures in support of your submission to senior management.

The measures are more likely to receive endorsement if you can demonstrate that your selected security measures not only reduce the risk to an acceptable level (where possible) and meet the business needs of your organisation, but also provide other benefits to your organisation or improvements to business processes.


Insert additional endorsed measures for implementation the corresponding column in the SRPA template.

27V1.0


10.4.4 Determining residual risk ratings

Once your organisation has determined its risk treatment(s) options, identified possible security measures, and selected the most appropriate security measures to treat the risk, they can now reassess the original risk rating and record the residual risk rating.


Insert residual impact rating, residual likelihood rating and residual risk rating in SRPA template.

11. Ongoing maintenance of the SRPAAll identified risks in the SRPA should be subject to ongoing monitoring and review. The frequency and depth of attention you give each risk should reflect its rating and priority.

Review risks if there are any changes to your organisation’s operating environment or roles as these changes may impact the existing risks, introduce new risks or change the criticality of your assets.

11.1 SRPA and risk ownership

The overall owner of the SRPA is the public sector body Head. The Head may delegate the management of the SRPA to a senior officer who should be independent of the information owners to ensure all risks to information are given appropriate priority.

If your organisation has not already done so, allocate an owner to each identified risk to ensure it is reviewed with an appropriate frequency and that any additional actions and measures that are required are undertaken within a designated timescale.

In most circumstances the information owner/custodian could be the risk owner, as they are most likely to be aware of changes to the threat environment of the asset. However, for higher risks to critical information assets it may be more appropriate to assign a senior officer as the risk owner to ensure the risk receives the level of oversight commensurate with the risk to your organisation.


Insert risk owners role in SRPA template.

28 V1.0

Assurance CollectionC

hap

ter

1 –

Ap

pen

dix

A –

Ex

amp

le S

ecu

rity

Ris

k P

rofi

le A

sses

smen

t T

emp

late

* O

rgan

isat

ion

’s c

an c

ho

ose

to

use

th

is a

s a

refe

ren

ce

te

mp

late

SEC

UR

ITY

RIS

K P

RO

FILE

ASS

ESS

ME

NT

(SR

PA

)

RIS

K

NU

MB

ER

LAST

R

EV

IEW

D

ATE

RIS

K S

TAT

EM

EN

T

(“T

he

ris

k o

f …

eve

nt…

c

ause

by

…h

ow

… r

esu

ltin

g

in …

imp

act(

s)…

”.)

CU

RR

EN

T S

ECU

RIT

Y

ME

ASU

RE

S

(Re

late

d b

ack

to t

he

V

PD

SF E

lem

en

ts a

nd

P

DSP

)

CU

RR

EN

T

IMP

AC

T

RAT

ING

CU

RR

EN

T

LIK

ELI

HO

OD

R

ATIN

G

CU

RR

EN

T

RIS

K

RAT

ING

RIS

K

AC

CE

PT

ED

(Ye

s/N

o)

RIS

K

PR

IOR

ITY

AD

DIT

ION

AL

SEC

UR

ITY

M

EA

SUR

ES

EN

DO

RSE

D F

OR

IM

PLE

ME

NTA

TIO

N

RE

SID

UA

L IM

PA

CT

R

ATIN

G

RE

SID

UA

L LI

KE

LIH

OO

D

RAT

ING

RE

SID

UA

L R

ISK

R

ATIN

G

RIS

K

OW

NE

R

1. 2.

Chapter 1 – Appendices – Protective Data Security Risk Profile Assessment

29V1.0


Chapter 1 – Appendix B – Summary of SRPA actions


Insert each risk statement in SRPA template as a separate line.


Insert existing security measures (for each risk) in SRPA template.


Insert current impact rating in SRPA template


Insert current likelihood rating in SRPA template


Insert current risk rating in SRPA template.


Complete risk accepted in SRPA template.


Insert additional endorsed controls for implementation in SRPA template.


Complete risk priority column in SRPA template.


Insert residual impact rating, residual likelihood rating and residual risk rating in SRPA template.


Insert risk owner’s name in SRPA template.

SUMMARY OF SRPA ACTIONS

30 V1.0


12. Overview of self-assessment

12.1 Overview of self-assessment activities

Traditional compliance assessments, for example checkbox or traffic light exercises to demonstrate regulatory compliance do not take into consideration the organisation’s size, resources and risk posture. Compliant, does not equal secure and does not add value back into the organisation in terms of embedding security into its everyday business.

Whilst compliance with the standards is mandatory, the way in which your organisation implements the standards (i.e. which security measures it selects) is risk based according to your size, resources and risk posture.

The self-assessment activities of the VPDSF will provide your organisation with a holistic overview of its implemented security measures and their operating effectiveness. Documenting your implementation of the VPDSS and security maturity will reinforce a continuous improvement lifecycle model that enables your organisation to systematically identify and manage security risk as well as identify opportunities to mature its protective data security practices.

Self-assessment activities are an iterative process where previous reporting outcomes are reviewed, re-validated and updated to reflect currency and improvement.

These actions assist your organisation to monitor and review security planning and implementation activities defined and carried out in the SRPA and PDSP chapters. Further information regarding security planning is in Chapters 1 and 3 of this collection.

12.2 Benefits of measuring and reporting your implementation of the VPDSS

Reviewing the implementation of the VPDSS will assist Victorian public sector organisations establish, implement and monitor protective data security practices to support the delivery of efficient, effective and economic government services.

Benefits to your organisation aligned with the VPDSF guiding principles include:

• strong governance arrangements e.g. having security policies and procedures in place to promote the consistent application of the VPDSS

• understanding information value and achieving business objectives e.g. being able to identify and prioritise the right level of investment in protective data security activities

• positive security culture e.g. learning from other organisations in the same sector i.e. enabling efficient and effective implementation of the VPDSS, whilst economically achieving business objectives in a secure manner

• sound risk management e.g. only select security measures according to an organisation’s risk posture

• continuous improvement e.g. improving protective data security capability and increasing maturity

Expected benefits to the Victorian Government include:

• consistent application of protective data security

Chapter 2 – Measuring and reporting implementation of the VPDSS

31V1.0


• consistent security reporting

• the identification of serious or systemic protective data security issues across government which can then be addressed through activities such as policy changes, common solutions and awareness activities

• the identification of opportunities to implement and invest in better practice protective data security activities and programs

12.3 VPDSS Self-assessment template

A self-assessment template is provided in the VPDSF Resources section15 to assist you in measuring your organisations implementation of the applicable security measures within the VPDSS. Sections 13 and 14 of this guide explain each of the areas of the template to assist you in completing it for your organisation. Refer to Chapter 2 – Appendix B – Summary of VPDSS self-assessment actions for a summary of key steps.

Any self-assessment is a subjective process and relies on the individuals completing it. Information contained in the self-assessment should be able to be substantiated not only to CPDP, but also to other stakeholders such as executive and internal audit.

Substantiate the assertions made during the self-assessment by referring to security measures16 that your organisation has in place at the time the self-assessment was completed.

Once your organisation has completed its self-assessment, any identified gaps and opportunities for improvement should be risk assessed and fed into the organisation’s

• Security Risk Profile Assessment (SRPA)

• Protective Data Security Plan (PDSP)17

By doing so, your organisation can ensure the security planning activities are continually reviewed, validated and updated. This process not only enables your organisation to keep track of their implementation of the VPDSS but also assists with identifying, prioritising and investing in security activities for the next VPDSS reporting period.

The information captured in the self-assessment and submitted to CPDP will form the basis of any CPDP assurance activities conducted under the VPDSF assurance model.

Consider VPDSS self-assessment activities as supportive outcomes of an overall ‘protective security’ program designed to also mitigate threats to your broader assets including people.

The methodology detailed in this guide can also be used to map any protective security compliance obligations with personal safety and other asset protection requirements.

13. Assessing your implementation of the VPDSSThis section provides your organisation with guidance on completing columns ‘C’ to ‘I’ of the VPDSS self-assessment template18 including:

• how to determine applicable VPDSS elements to your organisation

• available choices for the implementation status, implementation plans for the next reporting period and associated risk activities

• how to complete the response / summary to support the implementation of each element (validation of any claims)

• an explanation of the compliance levels used in the self-assessment

15 Refer to VPDSS Self-assessment template in VPDSF Resources on the CPDP website

16 Refer to VPDSS elements in VPDSF Resources on the CPDP website

17 Refer to SRPA and PDSP templates in VPDSF Resources on the CPDP website

18 Refer to VPDSS Self-assessment template in VPDSF Resources on the CPDP website

32 V1.0


13.1 Risk based approach

Organisations should adopt a risk-based approach to addressing the standards. As Victorian public sector organisations vary in structure, size, risk appetite, resources and value of information they handle, the ways in which each organisation will implement the standards will vary.

Adopting a risk-based approach to implementing the VPDSS is supported by Diagram 1. VPDSF five step action plan19:

1. identify your information assets

2. determine the ‘value’ of this information

3. identify any risks to this information

4. apply security measures to protect the information

5. manage risks across the information lifecycle

The VPDSS self-assessment along with the SRPA and PDSP enables your organisation to demonstrate how it has implemented or is implementing the standards and managing security risks to its information assets.

The risk-based approach reinforces the management of security risks where security measures aren’t implemented or fully implemented for the reporting cycle. This may be due to budget restraints, re-prioritisation of resources, or where compensatory measures have been used to achieve equivalent security outcomes when implementation of stated measures aren’t available. These gaps in the implementation of security measures will be fed back into the plan, do, check, act continuous improvement lifecycle and form part of your SRPA and PDSP.

Further information regarding a risk-based approach, in particular, the identification of risks to official information is in Chapter 1 – Protective Data Security Risk Profile Assessment in this collection.

13.2 How do I determine applicable VPDSS elements?

Completing column C of the VPDSS self-assessment will provide your organisation with its statement of applicability (SOA) with respect to the VPDSS. Only elements identified as ‘applicable’ will need to progress through the rest of the self-assessment activities. Review each of the elements listed in the VPDSS self-assessment and select either ‘Yes’ if it applies or ‘No’ if it does not.

As a general rule, most of the elements will apply and only a few may not depending on your organisation’s value assessments of its information assets e.g. elements related to specific topics such as:

• PER-060 Organisations with roles handling security classified information or requiring high assurance develop security clearance policies and procedures

• PER-070 Organisations with roles handling security classified information or requiring high assurance undertake additional personnel screening measures commensurate with the risk


Complete column C ‘Applicability’ of the VPDSS self-assessment template by selecting either ‘Yes’ if the element applies to your organisation or ‘No’ if it does not.

19 Refer to the VPDSF Five step action plan in VPDSF Resources on the CPDP website

33V1.0


13.3 How do I complete implementation status, plans and risk activities?

13.3.1 Implementation

Column D asks whether the element you have previously identified as applicable is implemented or currently being implemented in your organisation at the time of the report. Select ‘Yes’ if the element has been implemented/currently being implemented or ‘No’ if it has not.


Complete column D ‘Implementation’ of the VPDSS self-assessment template by selecting either ‘Yes’ if the applicable element has been implemented in your organisation or ‘No’ if it has not.

13.3.2 In-Plan

For all the applicable elements where ‘No’ has been selected in ‘Implementation’, determine if your organisation is planning on implementing the element before the next reporting period and select either Yes or No in column E.

If an element is noted as being in-plan, the element and its associated planning details should be included in the organisation’s Protective Data Security Plan (PDSP), further guidance on completing the PDSP is contained in Chapter 3.


Complete column E ‘In-Plan’ of the VPDSS self-assessment template by selecting either ‘Yes’ if the applicable element you have previously identified as not being implemented is currently planned to be implemented in the next reporting period or ‘No’ if it is not.

13.3.3 Risk managed and risk reference

For any ‘No’ answers selected in ‘implementation or ‘In-Plan’ determine if the corresponding risks associated with not implementing this applicable element have been identified and managed. Document these corresponding risks in your organisation’s security risk profile assessment (SRPA). Select ‘yes’ in column F if you are managing the risks associated with not implementing this element and the corresponding risk reference number otherwise select No.


Complete column F ‘Risk managed’ and column G ‘Risk reference’ of the VPDSS self-assessment template by selecting either ‘Yes’ if the element has been added to your organisation’s SRPA and risk register and record the risk ID or ‘No’ if has not.

34 V1.0


13.4 How do I complete the implementation evidence summary?

For any of the elements your organisation has identified as implemented in column D, complete column H with a high level summary of the security measures in place to support this ‘Yes’ answer.

There are three core components – people, process and technology that demonstrate a holistic approach to implementing the elements and subsequently meeting the objectives of the standards. There may be times where the security measures used to implement an element only use one of these. Conversely, a security measure may cross more than one of the core components to implement an element.

Example 8 SOP-010 Organisations identify, document and communicate personnel security obligations

Organisational policy and procedure in place (process); Management support and actively reinforce obligations (process); Tools to report security incidents are in place and understood by all (technical).

Example 9 SIM-050 Organisations have a register of all security incidents

Security incident register in place (technical); Incident reporting requirements documented and communicated to all (process and people); Procedure to support registration of incidents in place (process); and organisation has skilled people to maintain register (people).

Example 10 BCM-010 All protective data security domains are represented in business continuity policy and plans

BCP process documented inclusive of security (process);

Note. Roles identified, BCP testing and communications part of separate BCM elements

Note. It is understood that some controls are not strict ‘security’ measures and are also ‘business’ measures or belong in other domains e.g. risk, human resources, business continuity, however this exercise is looking at them through a security lens to mitigate information security risks.


Complete column H ‘Implementation evidence summary’ of the VPDSS self-assessment template by providing a summary of how your organisation has implemented the element providing examples of security measures (people, process and technology).

13.5 How do I determine my level of compliance?

Now that you have completed the implementation summary column in the self-assessment, you have an idea of whether you have implemented adequate security measures to meet the intent of the element and can demonstrate your level of compliance. The VPDSS self-assessment uses the following compliance levels:

35V1.0


COMPLIANCE LEVEL

DESCRIPTIONS

1-3 Organisations have implemented some security measures but significant work is required to address the element

4-6 Organisations have implemented reasonable security measures with reasonable amount of effort still required to address the element

7-9 Organisations are approaching full compliance with the element with minimal security measures left to implement

10 Organisations have security measures in place to fully implement the element


Complete column I ‘Level of compliance’ of the VPDSS self-assessment template by selecting your level of compliance for each of the elements from the compliance ratings.

14. Assessing the maturity level of your applicable elementsThis section provides your organisation with guidance on completing columns J and K of the VPDSS self-assessment template, including:

• an explanation of the maturity rating criteria

• an outline on how to set target maturity levels for the next reporting period

14.1 Capability maturity model used in the VPDSF assurance model

The security measures identified in your self-assessment are a demonstration of the security capability in your organisation. The capability maturity model used in the VPDSF assists your organisation to assess the maturity of its implemented security measures appropriate to your security risks. Once these capabilities are identified, you can then measure the maturity of your organisation’s security measures.

These maturity levels should be used as a guide to help your organisation focus any improvement activities and security investment in maturing security measures implemented to mitigate security risks.

The nature of capability maturity models are such that not every organisation will need to achieve the highest maturity level in each of the elements. The maturity levels will be dependent on the economic, efficient and effective use of the resources available to your organisation.

36 V1.0


To help organisations contextualise these maturity levels, the following maturity descriptions are provided. [Adapted from New Zealand Protective Security Requirements (PSR)20]

Table 2: Capability maturity model

RATING BASE DESCRIPTIONS

Informal Processes are usually ad-hoc and undocumented. Some base practices may be performed within the organisation, however there is a lack of consistent planning and tracking. Most improvement activity occurs in reaction to incidents rather than proactively. Where practice is good it reflects the expertise and effort of individuals rather than institutional knowledge. There may be some confidence security-related activities are performed adequately, however this performance is variable and the loss of key staff may significantly impact capability and practice.

Basic The importance of security is recognised and key responsibilities are explicitly assigned to positions. At least a base set of protective security measures are planned and tracked. Activities are more repeatable and results more consistent compared to the ‘informal’ level, at least within individual business units. Policies are probably well documented, but processes and procedures may not be. Security risks and requirements are occasionally reviewed. Corrective action is usually taken when significant problems are found.

Core Policies, processes and standards are well defined and are actively and consistently followed across the organisation. Governance and management structures are in place. Risk assessment and management activities are regularly scheduled and completed. Historic performance information is periodically assessed and used to determine where improvements should be made.

Managed Day-to-day activity adapts dynamically and automatically in response to situational changes. Quantitative performance measures are defined, baselined and applied to ensure security performance is analysed objectively and can be accurately predicted in advance. In addition to meeting VPDSS requirements, the organisation also implements many optional ‘better practice’ requirements in response to its risk assessment.

Optimised Security is a strategic issue for the organisation. Long-term planning is in place and integrated with business planning to predict and prepare for protective security challenges. Effective continuous process improvement is operating, supported by real-time, metrics-based performance data. Mechanisms are also in place to encourage, develop and test innovations.

20 New Zealand Protective Security Requirements (PSR) protective security capability maturity model https://protectivesecurity.govt.nz/assets/Uploads/Protective-Security-Capability-Maturity-Model.pdf



37V1.0


14.2 Assessing current maturity levels

By this stage, your organisation has completed most of the VPDSS self-assessment to give you an idea of how your organisation is tracking with implementation of the VPDSS, which can now be used to rate your organisation’s maturity.

Your organisation should use the maturity descriptors provided in Table 2 to assess its current maturity level for each element.

Where an organisation is at differing maturity levels for the same element, the organisation should select the lesser level until all the parameters of the upper level are met.

Example 11.

An organisation has implemented SIM-010 incident management policies and procedures covering all protective data security domains. Whilst the organisation has thorough documentation covering hardcopy and electronic information security incidents as well as executive sponsorship for security incident management (CORE), lessons learnt from previous incidents have not been fed into the review of this documentation to determine where improvements can be made. In this instance the organisation may select ‘Basic’ when assessing their maturity with SIM-010 because although they have adequate processes, the feedback loop to continuously improve is not present.

Example 12.

An organisation is formalising their de-provisioning process this reporting period by adding a supporting procedure to their existing access management regime which currently only covers managing the provisioning of access rights of personnel. The organisation already has an overarching identity and access management policy which is approved, and skilled staff already following an undocumented de-provisioning process who have highlighted this gap in their documentation as part of their periodic re-assessment to determine where improvements can be made so in this instance the organisation may select ‘Core’ when assessing their maturity with IAM-070 because they are actively implementing the last step in their off-boarding process.


Complete column J ‘Current maturity level’ of the VPDSS self-assessment template by referring to the base descriptors provided in the Capability maturity model to enable you to select a rating from the drop down list.

14.3 Setting target capability maturity levels

The process of setting target capability maturity ratings drives effective, efficient and economical investment into your organisation’s security capability and plays an important role in organisational/business planning activities.

Areas for improvement should be incorporated into your PDSP. Use these gaps as a basis to identify the areas to focus on and set your target capability maturity level for the next reporting cycle. Whilst your organisation should identify its long-term target maturity level in its enterprise strategy, the VPDSF target maturity level is more tactical and completed annually. Use the maturity descriptors provided in Table 2 to set your organisation’s target maturity level for each element.

38 V1.0


So for example 11 above, the organisation may select to reach maturity level ‘Core’ for SIM-010 the following year because they will be reviewing and updating their policies and procedures.

For example 12 above, the organisation may select to remain at maturity level ‘Core’ for IAM-070 the following year because they will have formalised their de-provisioning process.


Complete column K ‘Target maturity level’ of the VPDSS self-assessment template by referring to the base descriptors provided in the Capability maturity model to enable you to select a rating from the drop down list.

15. Supporting resources

15.1 Audit and review

Consider partnering with internal audit groups to use their knowledge and expertise to validate these assessments. These groups are likely to be well versed in the outcomes of any previous security reviews or audits that may have been conducted for your organisation, as well as any outstanding audit findings or recommendations currently being considered as part of an existing security remediation program.

Where an organisation handles high risk / high value21 information, you may want to test your self-assessment results via an internal control test. Reviews on your organisation’s implementation of the VPDSS helps to confirm:

• the information security measures identified have been implemented to mitigate the risks to the organisation’s official information

• the security measures are effective

• the security measures have been periodically reviewed to confirm they are still relevant and have not been superseded by new measures

The Victorian Auditor-General’s Office may conduct performance audits on the implementation of the VPDSS. For further advice on the performance audit process see the Victorian Auditor-General’s Office Performance Audit Practice Statement22.

16. Organisational reportingAll organisations to which Part Four of the PDPA applies are to annually report their level of implementation of the VPDSS to CPDP23. This report should:

• summarise your organisation’s implementation of the elements to meet the objectives of the VPDSS

• state the current maturity level

• set the target maturity level for the next reporting cycle

• be signed by the public sector body Head to be true and correct

21 Refer to VPDSF Information security guide – Appendix B – Business Impact Level (BIL) table for explanation of ‘high value’ descriptor on the CPDP website

22 Performance Audit Practice Statement on VAGO website http://www.audit.vic.gov.au/about_us/the_audit_process/pa_practice_statement.aspx

23 Refer to the VPDSS implementation timelines in VPDSF Resources on the CPDP website

http://www.audit.vic.gov.au/about_us/the_audit_process/pa_practice_statement.aspx

http://www.audit.vic.gov.au/about_us/the_audit_process/pa_practice_statement.aspx

39V1.0


Use the VPDSS self-assessment template24 to report your organisation’s implementation of the VPDSS to CPDP. The reporting period is from 1 July until 30 June to align the VPDSS reporting cycle with your financial year reporting requirements.

The deadline for submitting your self-assessment is 31 August.

Your organisation’s self-assessment must be submitted electronically to CPDP using the method requested by CPDP.

The first reporting cycle will set the tone for any subsequent self-assessments. Your organisation can build on previous reports by conducting a gap analysis on historical protective data security practices to re-validate or update to reflect its current capability maturity levels.

Your organisation’s VPDSS self-assessment also provides the business with an overview on the state of your security capability and maturity and may assist with any further security reporting obligations in your regulatory environment.

16.1 Attestation

The attestation is a declaration that the information provided in your organisation’s self-assessment is complete, accurate and has been understood and agreed to by the executive of your organisation to ensure it has senior management recognition.

Once the VPDSS self-assessment is complete, your public sector body Head (e.g. Secretary, managing director, chief executive officer) must sign an attestation statement. The VPDSS self-assessment template contains an attestation for your organisation to complete, before submitting to CPDP.


Complete tab 1 – Attestation of the VPDSS self-assessment template before submitting to the Commissioner for Privacy and Data Protection.

16.2 Use of VPDSS compliance reports by CPDP

CPDP will analyse the outcomes from the self-assessments received to:

• identify vulnerabilities to Victorian government information

• report on the information security landscape of Victorian government

• report on trends, themes and issues surrounding information security in the Victorian government

• report on information security status across sectors in the Victorian government

CPDP will also use the outcomes to inform the following assurance activities:

• ‘walkthroughs’ with your organisation to go through your report findings and provide targeted advice

• follow up letter

• desktop review

• inspection

• audit / reviews

• own motion reviews

24 Refer to the VPDSS self-assessment template in VPDSF Resources on the CPDP website

40 V1.0


Chapter 2 – Appendix A – VPDSS self-assessment template

Refer to VPDSF Resources on the CPDP website.

Chapter 2 – Appendices – Measuring and reporting implementation of the VPDSS

41V1.0


Chapter 2 – Appendix B – Summary of VPDSS self-assessment actions

NO

NO

NO

YES

YES

YES

YES

YES

YES

YES


Complete column C ‘Applicability’ of the VPDSS self-assessment template by selecting either ‘Yes’ if the element applies to your organisation or ‘No’ if it does not


Complete column D ‘Implementation’ of the VPDSS self-assessment template by selecting either ‘Yes’ if the applicable element has been implemented in your organisation or ‘No’ if it has not.


Complete column E ‘In-Plan’ of the VPDSS self-assessment template by selecting either ‘Yes’ if the applicable element you have previously identified as not being implemented is currently planned to be implemented in the next reporting period or ‘No’ if it is not.


Complete column F ‘Risk managed’ and column G ‘Risk reference’ of the VPDSS self-assessment template by selecting either ‘Yes’ if the element has been added to your organisation’s SRPA and risk register and record the risk ID or ‘No’ if has not.


Complete column H ‘Implementation evidence summary’ of the VPDSS self-assessment template by providing a summary of how your organisation has implemented the element providing examples of security measures (people, process and technology).


Complete column I ‘Level of compliance’ of the VPDSS self-assessment template by selecting your level of compliance for each of the standards from the compliance ratings.


Complete column J ‘Current maturity level’ of the VPDSS self-assessment template by referring to the base descriptors provided in the Capability maturity model to enable you to select a rating from the drop down list.


Complete column K ‘Target maturity level’ of the VPDSS self-assessment template by referring to the base descriptors provided in the Capability maturity model to enable you to select a rating from the drop down list.


Complete tab 1 – Attestation of the VPDSS self-assessment template before submitting to the Commissioner for Privacy and Data Protection.

SUMMARY OF VPDSS SELF-ASSESSMENT ACTIONS

42 V1.0


17. Overview of Protective Data Security Plan (PDSP)The protective data security plan (PDSP), is your organisation’s record to address security risks and support the implementation of security measures which take the form of the VPDSS Elements and associated controls.

This plan is directly informed by the treatment of risks assessed within the Security Risk Profile Assessment (SRPA) and gaps in the implementation of the VPDSS Elements identified in the VPDSS self-assessment. Although reported biennially, the plan records the rolling program of work that can span multiple reporting periods depending on the activity.

The PDSP should be developed using your organisation’s existing business planning and risk management processes, with consideration given to:

• business goals and objectives

• business knowledge and risk strategies

• business opportunities

• policy structures

• operational business processes

• organisational structure and extended enterprise

The PDSP is required to:

• consider the business context and objectives of your organisation

• directly address the implementation of security measures resulting from protective data security risks identified within the SRPA

• directly address the implementation of security measures resulting from gaps in the implementation of applicable VPDSS elements

• be developed and provided to CPDP two years after the issue of the standards

• be reviewed and provided to CPDP biennially

• be reviewed and provided to CPDP upon significant change to the operating environment or security risks relevant to your organisation

• be endorsed by an appropriate internal governance body

17.1 Benefits of planning, recording and monitoring the implementation of the VPDSS in the PDSP

The PDSP has many of the same benefits as the annual VPDSS self-assessment, and builds on these in the following ways:

• a living plan of record of the security programs and projects for implementation of the VPDSS

• monitor the success of security capability uplift

• show continual improvement over various time periods

• monitor the efficient, effective and economical use of organisational resources in the delivery of protective data security outcomes

Expected benefits to the Victorian Government include:

• measure the application of protective data security

• consolidated view of security spend across Victorian Government

Chapter 3 – Protective Data Security Plan

43V1.0


• identification of serious or systemic protective data security issues across government

• whole of Victorian Government (WoVG) security profile

• identification of policy changes e.g. WoVG security programs and awareness activities

• identification of opportunities to implement and invest in better practice protective data security activities and programs

17.2 Protective Data Security Plan template

A PDSP template is provided in the VPDSF Resources section25 to assist you in recording and reporting your organisation’s security planning activities.

Section 18 of this guide explain each of the areas of the template to assist you in completing it for your organisation.

By doing so, your organisation can ensure the security planning activities are continually reviewed, validated and updated. This process not only enables your organisation to keep track of its implementation of the VPDSS but also assists with identifying, prioritising and investing in security activities for the next period.

The information captured and submitted to CPDP in the PDSP will inform any CPDP assurance activities conducted under the VPDSF assurance model.

18. Protective Data Security Plan processHaving followed the guidance and completed the steps in chapters one and two of this Assurance Collection, organisations will have sufficient information to complete the PDSP.

The following sections of this chapter will assist your organisation in completing section 1 and 2 of the PDSP template including:

• the relevant sources from which to complete sections 1 and 2

• how to complete the summary to support the implementation of each VPDSS element

• an overview of implementation data e.g. budget, status and target dates

18.1 How do I reference security risks, data security standards and VPDSS elements in the PDSP?

Section 1 of the PDSP references and represents a link to the outcomes of performing the security risk profile assessment (SRPA) and the annual VPDSS self-assessment i.e. an organisation’s security risks and any gaps in implementation of the VPDSS elements.

This provides an organisation with end-to-end traceability of its implementation of the VPDSS elements and therefore corresponding standards, and reinforces the principles of the VPDSF e.g. good governance equals good security and sound security risk management.

18.1.1 Security risk references

Depending on the maturity of an organisation’s risk management framework and processes, security risks will be managed in either the VPDSF SRPA template or an organisational risk register.

The PDSP assists organisations to track and manage the implementation of security measures to treat risk as well as assist in the measurement of success of the security uplift programs.

25 Refer to Protective Data Security Plan template in VPDSF Resources on the CPDP website

44 V1.0


Review your SRPA or organisational risk register and include these references in column A of the PDSP.

Completion of this column will not be required where implementation of a VPDSS element is undertaken as a compliance or business as usual activity.


Review the organisation’s SRPA or the organisation’s risk register (where relevant) and note the risk reference in column A.

18.1.2 Data security standard and VPDSS element reference

To assist organisations with completing this section, determine if your organisation is implementing, or planning on implementing any of the VPDSS elements and therefore the corresponding standards. This information is primarily sought from two inputs into the PDSP, the SRPA and the VPDSS self-assessment. Further information can be found in Chapters 1 and 2 of this collection.

1. If the outcome of the SRPA has identified that additional measures for implementation are required and have been endorsed, select the standards and elements from the SRPA (where an organisation has chosen to use the SRPA template).

2. To identify VPDSS Elements to be implemented from the VPDSS self-assessment, select the standards and elements from columns C, D and E of the VPDSS self-assessment. Only select where the standard and element are:

• applicable

• not currently implemented

• planned for implementation for the next annual reporting cycle

Replicate these selected standards and elements into columns B and C of the PDSP.


Review the organisation’s VPDSS self-assessment and SRPA to complete columns B and C of the PDSP.

18.2 How do I complete the implementation plan summary and details?

Section 2 of the PDSP represents an organisation’s implementation plan of the VPDSS elements.

This section will assist organisations with many governance and reporting outcomes of security uplift programs.

18.2.1 Implementation plan summary

In addition to the guidance contained in ‘Chapter 2 – Measuring and reporting implementation of the Victorian Protective Data Security Standards’, organisations are requested to provide a summary of implementation plans. This summary assists your organisation to keep track of outcomes of security measures, maintain scope and applicability to reduce risks and measure success of implementation.

This summary should give an overview of the security measure(s) to be implemented and their outcome or end state. If a staged or phased approach is undertaken, an overview of each staged/phased deliverable should be included.

45V1.0


The PDSP template provides an example. Your organisation can utilise project or program summaries e.g. project briefs or business cases as appropriate where implementation is as a result of a sponsored project or program.


Complete column D ‘Implementation Plan’ of the PDSP by providing a summary of how your organisation will implement the element.

18.2.2 Implementation plan details

The implementation plan details provide your organisation with a single authoritative view of roles, timelines, financial commitments and status associated with the implementation of security measures. These details will assist with organisational governance reporting and business planning activities. The PDSP will, over time provide historical snapshots of security uplift and continual improvement activities.

Primarily, the details contained in this section of the PDSP will consist of security measures where implementation will be part of a project or program of works or, typical business as usual activities and operating budgets.

If implementation is part of a project or program, the sponsor is the accountable role within the organisation for implementation of the security measure as well as delegation for financial commitment.

The sponsorship (sponsor) of security measure implementation as part of business as usual activities and operating budgets is the role with financial delegation for expenditure.

In the creation of your descriptors for implementation status, organisations are free to develop descriptors that make sense to your organisation. For example, for approval; business case preparation; currently implementing, etc. as a starting point, use the organisation’s project management methodology phases.


Complete column E ‘Implementation Owner’. The role responsible for the implementation of the security measure to meet the objective of the VPDSS.


Complete column F, G and H – ‘Project, Program or BAU’, the ‘Project or Program Sponsor’ and the ‘Implementation Budget’.

Column F: Security measure implementation is a project, program or business as usual.

Column G: Sponsorship of security measure implementation.

Column H: What is the dollar ($) spend associated with implementation of the security measure.

46 V1.0



Complete columns I and J – ‘Implementation status’ and ‘Implementation due date’.

Column I: Indicate the current status of the implementation.

Column J: The expected due date for security measure to be fully implemented and operating.


Complete column K ‘Protective Data Security Plan’. The date the PDSP is submitted to CPDP.

19. Reporting your Protective Data Security PlanAll organisations to which Part Four of the PDPA applies are to biennially supply a copy of their completed and approved PDSP to CPDP.

The PDSP must be revised:

• if there is a significant change to the operating environment or the security risks relevant to the organisation

• otherwise, every two (2) years.

The PDSP will summarise your organisation’s plan to implement security measures to treat security risks, identified VPDSS self-assessment implementation gaps, responsible and accountable roles and budgetary impacts.

Organisations must use the PDSP template26 to report their security planning to CPDP. CPDP’s reporting period is from 1 July until 30 June to align the reporting cycle with your financial year reporting requirements. The deadline for submitting your PDSP is 31 August.

Your organisation’s PDSP must be submitted electronically to CPDP using the method requested by CPDP.

A significant change requiring the revision of the PDSP outside of the standard biennial cycle would include an important change within an organisation that would be worthy of attention. Large organisational operational changes e.g. a Machinery of Government and large technology system changes e.g. large projects or programs of work where the identification of risks worthy of being noted in the SRPA and PDSP could be considered as significant.

19.1 Use of Protective Data Security reports by CPDP

CPDP will analyse the PDSP in conjunction with the SRPA and self-assessments received to:

• report on the information security landscape of Victorian government

• report on trends, themes and issues surrounding information security in the Victorian government

• report on information security spend across the Victorian government.

26 Refer to the PDSP template in the VPDSF Resources section on the CPDP website

47V1.0


19.2 Where can I get help with completing the PDSP

In order to gather the required information to complete the PDSP, you should consider partnering with various organisational groups to collect and validate the required information.

Organisational risk management teams are typically responsible for the risk management framework. The risk management practitioners will be either custodians of or a point of contact for the SRPA and PDSP. This will ensure the PDSP contains all of the security risk treatment information.

Project management offices typically have a governance and oversight role for organisational programs and projects. Any projects or programs to support security uplift should be registered with project management offices and therefore are a good source of information for the PDSP.

Internal audit groups should be well versed in the outcomes of any previous security reviews or audits that may have been conducted for your organisation, as well as any outstanding audit findings or recommendations.

48 V1.0


Chapter 3 – Appendix A – Protective Data Security Plan (PDSP) template

Refer to VPDSF Resources on the CPDP website.

Chapter 3 – Appendices – Protective Data Security Plan

49V1.0


Chapter 3 – Appendix B – Summary of PDSP actions


Review the organisations SRPA or the organisations risk register (where relevant) and note the risk reference in ‘column A’.


Review the organisations self-assessment template and SRPA to complete ‘columns B and C’ of the PDSP.


Complete column D ‘Implementation Plan’ of the PDSP by providing a summary of how your organisation will implement the element


Complete column E – Implementation Owner. The role responsible for the implementation of the security measure to meet the objective of the VPDSS.


Complete column F, G and H – Project, Program or BAU, the Project Sponsor and the Implementation Budget.Column F: Security measure implementation is a project, program or business as usual. Column G: Sponsorship of security measure implementation. Column H: What is the dollar ($) spend associated with implementation of the security measure.


Complete columns I and J – Implementation status and implementation due date.Column I: Please indicate the current status of the implementation.Column J: The expected due date for security measure to be fully implemented and operating


Complete column K – Protective Data Security Plan. The date the PDSP is submitted to CPDP.

SUMMARY OF PDSP ACTIONS

victorian protective data security framework … · v1.0 3 assurance collection victorian...

Documents