Logo of Centium
Contact Us

Are you VPDSF ready?

March 8, 2019

The Victorian Protective Data Security Framework (VPDSF) is the mandatory scheme for managing protective data security risks across Victoria’s public sector. Victorian public sector agencies, including local Councils with Committees of Management, must comply with the VPDSF and should have attested their compliance by August 2018 and every two years thereafter. The Office of the Victorian Information Commissioner reserves the right to conduct audits and spot checks at any time.

The VPDSF offers a means to continually improve information security practices, manage risks, promote innovation and increase productivity.  It encourages cultural change in the Victorian public sector by promoting information security as part of everyday business. Information security involves most areas of an organisation’s activities, including people (personnel security), buildings and offices (physical security), systems (IT security), paper records (records management) and standard business processes; it is not “just an IT thing”.

The Standards

The 18 standards prescribe the Victorian Government’s approach to protecting public sector information. They address governance and four other security domains and feature core messages, including:

Security Governance (12 standards) Executive sponsorship of, and investment in, security management utilising a risk-based approach.
Information Security (Three standards) Protection of information, regardless of media or format (hard and soft copy material), across the information lifecycle from when it is created to when it is disposed.
Personnel Security (One standard) Engagement and employment of eligible and suitable people to access information.
ICT Security (One standard) Secure communications and technology systems processing or storing information.
Physical Security (One standard) Secure physical environment (i.e. facilities, equipment and services) and the application of physical security measures to protect information.

Does It Apply To You?

You need to comply with the VPDSF if you are:

  • a Department
  • an Administrative Office
  • the Victorian Public Service Commissioner
  • a special body listed in Section 6 of the Public Administration Act (2004)
  • the Victoria Police
  • a Crime Statistics Agency
  • a public entity as defined in section 5 of the Public Administration Act (2004) (meaning certain bodies created under an Act, by a Minister or by the Governor in Council that exercise a public function on behalf of the State). This includes local councils which operate under a committee of management.

Check your organisation’s applicability to the framework using the diagram below:

What You Need To Do

The OVIC recommends a five-step approach to develop your Protective Data Security Plan and secure your organisation’s information assets:

In practical terms, this means you need to:

  • Undertake a Security Risk Profile Assessment
  • Develop a Protective Data Security Plan
  • Complete a self-assessment
  • Review your Protective Data Security Plan at least every two years (or sooner if there is significant organisational change).

By August 2018, you should have reported the following to the OVIC:

  • An attestation capturing compliance status at a high-level
  • A high-level Protective Data Security Plan

Thereafter, you are obliged to submit follow-up reports every 2 years (or sooner if there is significant organisational change).

How Centium Can Help You

Centium has vast experience in supporting Victorian public-sector organisations to cut through the complexity and implement the VPDSF in a structured, practical and “fit for purpose” way.

We have already assisted Victorian agencies to meet their VPDSF obligations and can share our experiences and “lessons learnt” with you. We can share these experiences with you and save you from reinventing the wheel. If you have not met your 2018 obligations, we can help you to do so.

We can help you to meet your mandatory VPDSF obligations by:

  • Conducting a Security Risk Profile Assessment;
  • Developing a Protective Data Security Plan; 
  • Implementing aspects of your Protective Data Security Plan;
  • Reviewing and enhancing your information asset inventory and their associated security classifications and Business Impact Levels;
  • Integrating your VPDSF obligations with your other frameworks such as ISO 9000, ISO 27000, PCI DSS and more;
  • Supplementing your inhouse teams with additional skills and resources;
  • Supplementing inhouse internal audit teams to review and assure protective data security controls;
  • Providing training and support to help you achieve your VPDSF obligations;
  • Reviewing or developing and testing a Security Incident Response Plan;
  • Reviewing or developing and testing a Business Continuity Plan and IT (Disaster) Recovery Plan

Our expert team:

Our team includes specialist practitioners with decades of hands-on and practical protective data security expertise We have helped Victorian government entities to meet their VPDSF obligations and can share those experiences and innovations with you.

For more information, please download our Service Sheet

To discuss how we can help you meet your compliance obligations and help improve your protective data security, email us at info@centium.com.au or call us on 13002378100.

Our Clients