Logo of Centium
Contact Us

Victorian Protective Data Security Framework (VPDSF)

July 11, 2016

The Victorian Government has issued the Victorian Protective Data Security Framework (VPDSF) that will require agency heads to attest to their compliance with the minimum info sec standards each year.

Under the framework, central government agencies will have two years to conduct a risk profile assessment of their own level of vulnerability and write a formal data security plan in response.

Each year from then on, agency heads will need to attest to their compliance with the 18 requirements of the VPDSF in their day-to-day operations.

The new security rules also oblige agencies to allow the Commissioner's investigators “free and full access to data or data systems when requested” and to hand over documents when requested.

The framework itself, however, is light on prescriptive or practical instructions on how agencies should actually build security into their systems and operations. Instead, it lists a number of documents and policies it expects applicable agencies will have in place, including:

  • An organisation-specific security management framework, plus policies and procedures to see it embedded into day-to-day business practices, preferably aligned to ISO/IEC 27001
  • An access management regime governing how who can access data and how
  • Mandatory security training for staff and awareness programs centered on their data handling obligations
  • A formal incident management plan
  • A business continuity management plan, and
  • Contract terms that ensure third party suppliers also comply with Victorian data standards when they come into contact with public sector information.

In most cases, the framework asks that the plans comply with globally recognised security standards (e.g. ISO 27001) or Commonwealth security guidance like the Information Security Manual issued by the ASD.

It says all plans should have an appointed executive sponsor, but offers smaller agencies a little bit of leeway with the caveat that procedures should be built “proportionate to their size, resources and risk posture”.

Centium is well positioned to assist Victorian Government agencies in meeting the requirements of the VPDSF. We can start by conducting a gap analysis to see what needs to be rectified. Thereafter, we can assist by bringing your agency up to par as required. Contact any of our Directors via phone on 1300-BEST-100 or via email at info@centium.com.au to find out how we can assist your agency.

Our Clients