The Victorian Government has issued the Victorian Protective Data Security Framework (VPDSF) that will require agency heads to attest to their compliance with the minimum info sec standards each year.
Under the framework, central government agencies will have two years to conduct a risk profile assessment of their own level of vulnerability and write a formal data security plan in response.
Each year from then on, agency heads will need to attest to their compliance with the 18 requirements of the VPDSF in their day-to-day operations.
The new security rules also oblige agencies to allow the Commissioner's investigators “free and full access to data or data systems when requested” and to hand over documents when requested.
The framework itself, however, is light on prescriptive or practical instructions on how agencies should actually build security into their systems and operations. Instead, it lists a number of documents and policies it expects applicable agencies will have in place, including:
In most cases, the framework asks that the plans comply with globally recognised security standards (e.g. ISO 27001) or Commonwealth security guidance like the Information Security Manual issued by the ASD.
It says all plans should have an appointed executive sponsor, but offers smaller agencies a little bit of leeway with the caveat that procedures should be built “proportionate to their size, resources and risk posture”.
Centium is well positioned to assist Victorian Government agencies in meeting the requirements of the VPDSF. We can start by conducting a gap analysis to see what needs to be rectified. Thereafter, we can assist by bringing your agency up to par as required. Contact any of our Directors via phone on 1300-BEST-100 or via email at email@example.com to find out how we can assist your agency.