Protective Data Security Plan (PDSP) › wp-content › uploads › 2019 › 11 › ... · 1.1 Feb 2018 • High Level Protective Data Security Plan (Word document) replaced. •

Protective DataSecurity Plan (PDSP)

Information Security

Vi ctorian Protective Data Security Standards

Reporting information security capability and implementation progress Single-Organisation Reporting Form

Version 2.1 February 2020

Freedom of Information | Privacy | Data Protection

Freedom of Information | Privacy | Data Protection 2

Table of Contents

3 4

Document details Introduction to the Protective Data Security Plan Part A - Agency Head executive summary 8

9 9

Security program executive summary from the past 24 months

Challenges or barriers

Organisation Profile Assessment 10

Part B - Information security self-assessment and implementation plan 11

14 15 16 17 18 19

20 21 22

23 24

Standard 1 – Information Security Management Framework

Standard 2 – Information Security Value

Standard 3 – Information Security Risk Management

Standard 4 – Information Access

Standard 5 – Information Security Obligations

Standard 6 – Information Security Incident Management

Standard 7 – Information Security Aspects of Business Continuity and Disaster Recovery

Standard 8 – Third Party Arrangements

Standard 9 – Information Security Reporting to OVIC

Standard 10 – Personnel Security

Standard 11 – Information Communications Technology (ICT) Security

Standard 12 – Physical Security

26 28

Part C - Feedback to OVIC (optional)Part D - Attestation Appendix A - Form field explanations 29

12


Document details

Version Publish date Amendments in this version

1.0 Sep 2017 Original (Excel spreadsheet)

1.1 Feb 2018 • High Level Protective Data Security Plan (Word document) replaced.• Renamed the original protective data security plan to detailed

protective data security plan• Reporting by exception.

2.0 Nov 2019 • For formal reporting purposes, this version of the PDSP replaceso High Level PDSPo Detailed PDSPo Self-Assessment

• Added the following components to the PDSPo Executive Summary

§ Security program executive summary from thepast 24 months

§ Challenges and Barrierso Information Security Self-assessmento Organisation Profile Assessmento Feedback to OVIC

• Word document replaced by PDF Form with exportable fields

2.1 Feb 2020 • Read-only fields in Part A amended.

• help you assess your organisation’s information security capability;

• summarise your progress towards your implementation of the Victorian Protective DataSecurity Standards (Standards); and

• provide assurance to the Office of the Victorian Information Commissioner (OVIC) thatyour organisation is making progress to improving information security.

Why do I need a PDSP?

The PDSP is a useful document for you to validate your organisation’s capability uplift journey and confirm that activities are in place to achieve your desired level of information security maturity over the next 24 months. The information captured in this document may provide a useful summary to organisational stakeholders, providing a level of confidence in how you are progressing against the implementation of the Standards.

It is also a requirement under the Privacy and Data Protection Act 2014 (PDP Act)1.

When do I have to submit my PDSP?

You are required to submit your PDSP by 31 August 2020.

Prior to this deadline, if your organisation has had a significant change to its operating environment or its security risks you are encouraged to contact OVIC.

What should I capture in my PDSP?

PDSPs submitted by 31 August 2020 should cover security activities across 2018-2020, and any future planned activities.

How do I know that I am using the correct version of the PDSP form?

A current copy of this can be found under the VPDSF Resources section of the OVIC website, or directly from a representative in the OVIC Information Security Unit. Organisations looking to validate the authenticity of the downloaded Adobe form can do so by comparing the checksum provided on OVIC’s website2.

Introduction to the Protective Data Security Plan

What is a Protective Data Security Plan (PDSP)?

A Protective Data Security Plan (PDSP) serves several purposes. It is designed to:

1 Privacy and Data Protection Act 2014, Section 89 Protective data security plans.2 A checksum is a sequence of numbers and letters used to check the file integrity.

4 Freedom of Information | Privacy | Data Protection

How do I submit the PDSP?

Submission options will vary, depending on the protective marking of the PDSP. For a PDSP with a protective marking of:

• OFFICIAL or OFFICIAL: Sensitive, you can email a copy of the PDSP [email protected], or

• PROTECTED or above, you must contact the OVIC Information Security Unit for furtheradvice.

Submissions of PDSPs in soft copy assist OVIC with timely analysis and reporting back to Government and your organisation.

Incomplete PDSPs will not be accepted by OVIC. Please ensure all applicable fields are complete before submitting.

Who should complete the PDSP form?

The PDSP form should be completed by a person with sufficient knowledge of the security operations of the organisation.

Who is responsible for the PDSP?

Under the PDP Act, your public sector body Head must develop, and is responsible for, your organisation’s PDSP. OVIC suggests that the PDSP be signed by the public sector body Head to acknowledge that statutory responsibility.

Who can submit the PDSP?

Under the PDP Act, your public sector body Head is responsible for providing a copy of your organisation’s PDSP to OVIC. However, your organisation’s PDSP can be given to OVIC by anyone authorised by your organisation. Part A of the PDSP form identifies the authorised person.

Who attests?

While any person authorised by the organisation can attest, the public sector body Head must ensure that the organisation does not contravene the Standards.

The attestation is set out in Part D of this PDSP form.

How will the information in the PDSP be managed?

The information you provide will be managed in accordance with the protective marking you assign. The contents of this PDSP are exempt from the Freedom of Information Act 1982.

How will the information in the PDSP be used?

OVIC has a responsibility to provide ministers and the public with assurance regarding information security capabilities across government. The information you provide in this report will be used as an input in determining progress towards meeting your organisation’s information security objectives and will form the basis of reporting back to your organisation, and the Victorian Government including the Victorian Government Chief Information Security Officer.


The OVIC Information Security Unit will:

• use the self-assessment report to help plan its engagement and support activities;

• use information to inform assurance activities;

• provide feedback to organisations based on their submissions; and

• use feedback provided for statistical reporting for the improvement of OVIC resources.

What happens if I don’t submit a PDSP?

If your organisation fails to submit a PDSP it will be in breach of the legislation. To find out more about OVICs regulatory action approach, refer to the OVIC Regulatory Action Plan available on OVIC’s website.

How do I fill in the PDSP form?

The single-organisation PDSP is a single PDF form, comprised of four parts:

Part A – Security Program Executive Summary

This part:

• provides an opportunity for organisations to presentachievements across the past 24 months, anddescribe any challenges or barriers to their securityprogram; and

• poses a series of questions that help form anOrganisation Profile Assessment.

Part B: Information security self-assessment and implementation plan

This part requires you to:

• nominate your organisation’s maturity ratings againsteach standard; and

• note how your organisation is tracking with itsimplementation of the VPDSS elements.

Part C: Feedback to OVIC Whilst this section is optional, your feedback provides OVIC’s Information Security Unit with important insights into the value of the tools and advice we provide to organisations implementing the Standards.

Part D: Attestation by the public sector body Head.

N.B. Attestations are required in accordance with Standard 9 (Information Security Reporting to OVIC).

How much detail is needed on the PDSP?

You should include enough detail for OVIC to gain sufficient insight into the security program of your organisation and understand the progress that you had made in information security capability. This includes capturing any issues or barriers that you have identified.


Using the fields on the PDSP form

Form field explanations can be found in Appendix A, and links to Appendix A are provided throughout this form.

The PDSP form is predominantly made up of drop-down fields with some availability for free-text. Where there are free-text fields, character limits may apply.

If you intend to print this document, be aware that some of the text that you enter in this document may be cut off due to space restrictions. If this PDSP is electronically submitted (unscanned) to OVIC your full response will be captured, character limits notwithstanding.

What protective marking do I label my PDSP with?

Once your PDSP form is completed, you need to perform an assessment3 and assign a protective marking to the form.

This protective marking will help inform the management and handling requirements of the PDSP, including the most appropriate submission method to OVIC.

How do I get assistance?

If your organisation requires assistance in understanding the process, you can contact OVIC’s Information Security Unit at [email protected].

3 Refer to “Practitioner Guide: Assessing the Security Value of Public Sector Information” for an outline on how to conduct this assessment process. This guide can be access from OVIC's website.



Part A - Agency Head executive summary

Name of public sector agency or body

Name of public sector body Head

(e.g. Department Secretary, CEO)

Full name

Phone number

Email address

Postal address

Full Name

Position Title

Phone number

Email address

Postal address

Nominated point of contact

Full Name

Position Title

Phone number

Email address

Postal address

Name of person authorised by the public sector body Head to submit a copy of the PDSP (including attestation)

Same as person authorised by the public sector body Head

Name of the portfolio in which the organisation operates

Same as public sector body Head

(Check box)

(Check box)

Position Title


Security program executive summary from the past 24 months

Challenges or barriers

Please select any challenges or barriers that may be inhibiting implementation of the Standards.

Financial

Resourcing

Capability

Legislative

External third-party dependencies

Machinery of Government

Lack of clarity around roles and responsibilities within organisation

Lack of understanding of the Standards

Other (please describe below)

10

Organisation Profile Assessment

This section assists OVIC’s understanding of your organisation’s security profile.

4 Essential or important assets, which if severely compromised, degraded, rendered unavailable for an extended period or destroyed, would have major impact on the social or economic wellbeing of the Victorian community.5 Victorian Protective Data Security Framework Business Impact Table (BIL) Table can be found here www.ovic.vic.gov.au. 6 Protective markings are described in OVIC’s VPDSF Information Security Management Collection which can be found on our website www.ovic.vic.gov.au. N.B. Agencies or bodies have until October 2020 to implement the new protective marking scheme.7 Please note this is a calculated field and should add up to 100%. 8 Any information security incidents, not just ICT.

Factors Full-Time Equivalent

Number of employees within your organisation

Does your organisation have critical assets4?

Does your organisation obtain, generate, receive or hold information at Business Impact Level (BIL) 35 or higher?

What is the protective marking6 breakdown of information assets within your organisation?

Approximate

percentage (%)

Former protective marking scheme Current protective marking scheme

Unclassified OFFICIAL

For-Official-Use-Only/Sensitive OFFICIAL: Sensitive

Sensitive: Vic Cabinet or Cabinet-In-Confidence Cabinet-In-Confidence

PROTECTED

CONFIDENTIAL

SECRET

TOP SECRET

Total registered information assets 7

What were the number of information security incidents8 recorded in your Incident register over the last 24 months?

Third-Party Arrangements

How many third-party arrangements with direct access to your information are in place?

What is the highest protective marking that the third parties are accessing?

In which part of your organisation does the ongoing management of your information security program reside?

Volunteers

Did you procure a third-party to assist in the completion of your PDSP?

Percentage of Information not assessed



Part B - Information security self-assessment and implementation plan Instructions Each Standard has several fields to complete. For an explanation of the form fields, please refer to Appendix A.


Standard 1 – Information Security Management Framework An organisation establishes, implements and maintains an information security management framework relevant to its size, resources and risk posture.

Maturity assessment Current 2022 Target 2024 Aspiration

Element assessment

Elements Status Entity Risk Ref(s)

Supporting Control Library

Proposed Completion

E1.010 The organisation documents a contextualised information security management framework (e.g., strategy, policies, procedures) covering all security areas.

E1.020 The organisation’s information security management framework contains and references all legislative and regulatory drivers.

E1.030 The organisation’s information security management framework aligns with its risk management framework.

E1.040 Executive management defines information security functions, roles, responsibilities, competencies and authorities.

E1.050 Executive management nominates an information security lead and notifies OVIC of any changes to this point of contact.

E1.060 Executive management owns, endorses and sponsors the organisation’s ongoing information security program(s) including the implementation plan.

E1.070 The organisation identifies information security performance indicators and monitors information security obligations against these.

E1.080 Executive management commits to providing sufficient resources to support the organisation’s ongoing information security program(s).

E1.090 The organisation sufficiently communicates its information security management framework and ensures it is accessible.




Proposed Completion

E1.100 The organisation documents its internal control library that addresses its information securityrisks.

E1.110 The organisation monitors, reviews, validates and updates the information security management framework.


Standard 2 – Information Security Value An organisation identifies and assesses the security value of public sector information.


Element assessment



Proposed Completion

E2.010 The organisation's Information Management Framework incorporates all security areas.

E2.020 The organisation identifies, documents and maintains its information assets in an information asset register (IAR) in consultation with its stakeholders.

E2.030 The organisation uses a contextualised VPDSF business impact level (BIL) table to assess the security value of public sector information.

E2.040 The organisation identifies and documents the security attributes (confidentiality, integrity and availability business impact levels) of its information assets in its information asset register.

E2.050 The organisation applies appropriate protective markings to information throughout itslifecycle.

E2.060 The organisation manages the aggregated (combined) security value of public sectorinformation.

E2.070 The organisation continually reviews the security value of public sector information across the information lifecycle.

E2.080 The organisation manages externally generated information in accordance with the originator’s instructions.

E2.090 The organisation manages the secure disposal (archiving/destruction) of public sector information in accordance with its security value.


Standard 3 – Information Security Risk Management An organisation utilises its risk management framework to undertake a Security Risk Profile Assessment to manage information security risks.


Element assessment



Proposed Completion

E3.010 The organisation conducts security risk assessments and determines treatment plans in accordance with its risk management framework covering all the processes to manage information security risks including:

• Risk identification;• Risk analysis;• Risk evaluation; and• Risk treatment.

E3.020 The organisation records the results of information security risk assessments and treatment plans in its risk register.

E3.030 The organisation considers information security risks in organisational planning.

E3.040 The organisation communicates and consults with internal and external stakeholders during the information security risk management process.

E3.050 The organisation governs, monitors, reviews and reports on information security risk (e.g., operational, tactical and strategic through a risk committee (or equivalent, e.g., audit, finance, board, corporate governance)).

16

Standard 4 – Information Access An organisation establishes, implements and maintains an access management process for controlling access to public sector information.


Element assessment



Proposed Completion

E4.010 The organisation documents an identity and access management policy covering physical and logical access to public sector information based on the principles of least-privilege and need-to-know9.

E4.020 The organisation documents a process for managing identities and issuing secure credentials (registration and de-registration) for physical and logical access to public sector information.

E4.030 The organisation implements physical access controls (e.g., key management, swipe card access, visitor passes) based on the principles of least-privilege and need-to-know.

E4.040 The organisation implements logical access controls (e.g., network account, password, two-factor authentication) based on the principles of least-privilege and need-to-know.

E4.050 The organisation manages the end-to-end lifecycle of access by following provisioning and de-provisioning processes.

E4.060 The organisation limits the use of, and actively manages, privileged physical and logical access and separates these from normal access (e.g., executive office access, server room access, administrator access).

E4.070 The organisation regularly reviews and adjusts physical and logical access rights taking into account operational changes.

9 The principles of restricting an individual’s access to only the information they require to fulfil the duties of their role.



Standard 5 – Information Security Obligations An organisation ensures all persons understand their responsibilities to protect public sector information.


Element assessment



Proposed Completion

E5.010 The organisation documents its information security obligations and communicates these to all persons with access to public sector information (e.g., policies, position descriptions).

E5.020 The organisation’s information security training and awareness content covers all securityareas.

E5.030 The organisation delivers information security training and awareness to all persons with access to public sector information, upon engagement and at regular intervals thereafter in accordance with its training and awareness program and schedule.

E5.040 The organisation provides targeted information security training and awareness to persons in high risk functions or who have specific security obligations (e.g., executives, executive assistants, procurement advisors, security practitioners, risk managers).

E5.050 The organisation reviews and updates the information security obligations of all persons with access to public sector information.

E5.060 All persons with access to public sector information acknowledge their information security obligations at least annually (e.g., during performance development discussions, attending security briefings, completing security training).

E5.070 The organisation monitors, reviews, validates and updates its information security training and awareness program and schedule.


Standard 6 – Information Security Incident Management An organisation establishes, implements and maintains an information security incident management process and plan relevant to its size, resources and risk posture.


Element assessment



Proposed Completion

E6.010 The organisation documents and communicates processes and plan(s) for information security incident management covering all security areas.

E6.020 The organisation articulates roles and responsibilities for information security incidentmanagement.

E6.030 The organisation’s information security incident management processes and plan(s) contain the five phases of:

• Plan and prepare;• Detect and report;• Assess and decide;• Respond (contain, eradicate, recover, notify); and• Lessons learnt.

E6.040 The organisation records information security incidents in a register.

E6.050 The organisation’s information security incident management procedures identify and categorise administrative (e.g., policy violation) incidents in contrast to criminal incidents (e.g., exfiltrating information to criminal associations) and investigative handover.

E6.060 The organisation regularly tests (at least annually) its incident response plan(s).


Standard 7 – Information Security Aspects of Business Continuity and Disaster Recovery An organisation embeds information security continuity in its business continuity and disaster recovery processes and plans.


Element assessment



Proposed Completion

E7.010 The organisation documents and communicates business continuity and disaster recovery processes and plans covering all security areas.

E7.020 The organisation identifies and assigns roles and responsibilities for information security in business continuity and disaster recovery processes and plans.

E7.030 The organisation regularly tests (at least annually) its business continuity and disaster recovery plan(s).


Standard 8 – Third Party Arrangements An organisation ensures that third parties securely collect, hold, manage, use, disclose or transfer public sector information.


Element assessment



Proposed Completion

E8.010 The organisation’s information security policies, procedures and controls cover the entire lifecycle of third party arrangements (e.g., contracts, MOUs and information sharing agreements).

E8.020 The organisation includes requirements from all security areas in third party arrangements (e.g., contracts, MOUs and information sharing agreements) in accordance with the security value of the public sector information.

E8.030 The organisation undertakes an information security risk assessment of the third party's service offering and addresses any residual risks prior to finalising the arrangement.

E8.040 The organisation identifies and assigns information security roles and responsibilities in third party arrangements (e.g., contracts, MOUs and information sharing agreements).

E8.050 The organisation establishes, maintains and reviews a register of third party arrangements (e.g., contracts, MOUs and information sharing agreements).

E8.060 The organisation monitors, reviews, validates and updates the information security requirements of third party arrangements and activities.

E8.070 The organisation documents its information release management requirements (e.g., social media, news, DataVic).

E8.080 The organisation manages the delivery of maintenance activities and repairs (on-site and off-site).

E8.090 The organisation applies appropriate security controls upon completion or termination of a third party arrangement (e.g., contracts, MOUs and information sharing agreements).

21

Standard 9 – Information Security Reporting to OVIC An organisation regularly assesses its implementation of the Victorian Protective Data Security Standards (VPDSS) and reports to the Office of the Victorian Information Commissioner (OVIC).


Element assessment10



Proposed Completion

E9.010 The organisation notifies OVIC of incidents that have an adverse impact on the confidentiality, integrity or availability of public sector information with a business impact level (BIL) of 2 (limited) or higher11.

E9.020 The organisation submits its Protective Data Security Plan (PDSP) to OVIC every two years.

E9.030 Upon significant change, the organisation submits its reviewed PDSP to OVIC.

E9.040 The organisation annually attests to the progress of activities identified in its PDSP to OVIC.

10 All elements under Standard 9 are mandatory and are unable to be entered as "Not applicable".11 Refer to the current VPDSF BIL table on the OVIC website www.ovic.vic.gov.au/data-protection/for-agencies/vpdsf-resources/ for further information.



Standard 10 – Personnel Security An organisation establishes, implements and maintains personnel security controls addressing all persons continuing eligibility and suitability to access public sector information.


Element assessment



Proposed Completion

E10.010 The organisation's personnel security policies and procedures address the personnel lifecycle phases of:

• Pre-engagement (eligibility and suitability);• Engagement (ongoing and re-engagement); and,• Separating (permanently or temporarily).

E10.020 The organisation verifies the identity of personnel, re-validates and manages any changes as required.

E10.030 The organisation undertakes pre-engagement screening commensurate with its security and probity obligations and risk profile.

E10.040 The organisation manages ongoing personnel eligibility and suitability requirements commensurate with its security and probity obligations and risk profile.

E10.050 The organisation manages personnel separating from the organisation commensurate with its security and probity obligations and risk profile.

E10.060 The organisation develops security clearance policies and procedures to support roles requiring high assurance and/or handling security classified information.

E10.070

E10.080

The organisation undertakes additional personnel screening measures commensurate with the risk to support roles requiring high assurance and/or handling security classified information.

The organisation actively monitors and manages security clearance holders.


Standard 11 – Information Communications Technology (ICT) Security An organisation establishes, implements and maintains Information Communications Technology (ICT) security controls.


Element assessment



Proposed Completion

E11.010 The organisation manages security documentation for its ICT systems (e.g., system security plans).

E11.020 The organisation manages all ICT assets (e.g., on-site and off-site) throughout their lifecycle.

E11.030 The organisation conducts a security assessment for authorising systems to operate prior to transmitting, processing or storing public sector information.

E11.040 The organisation undertakes risk-prioritised vulnerability management activities (e.g. patch management, penetration testing, continuous monitoring systems).

E11.050 The organisation documents and manages changes to ICT systems.

E11.060 The organisation manages communications security controls (e.g., cabling, telephony, radio, wireless networks).

E11.070 The organisation verifies the vendors' security claims before implementing security technologies.

E11.080 The organisation manages security measures (e.g., classification, labelling, usage, sanitisation, destruction, disposal) for media.

E11.090 The organisation manages standard operating environments (SOEs) for all ICT assets, including end user access devices (workstations, mobile phones, laptops), network infrastructure, servers and Internet of Things (IoT) commensurate with security risk.




Proposed Completion

E11.100 The organisation manages security measures for email systems.

E11.110 The organisation logs system events and actively monitors these to detect potential security issues (e.g., intrusion detection/prevention systems (IDS/IPS)).

E11.120 The organisation uses secure system administration practices.

E11.130 The organisation designs and configures the ICT network in a secure manner (e.g., segmentation, segregation, traffic management, default accounts).

E11.140 The organisation manages a process for cryptographic keys (e.g., disk encryption, certificates).

E11.150 The organisation uses cryptographic controls for confidentiality, integrity, non-repudiation and authentication commensurate with the risk to information.

E11.160 The organisation manages malware prevention and detection software for ICT systems.

E11.170 The organisation segregates emerging systems from production systems (e.g., physical and/or logical) until their security controls are validated.

E11.180 The organisation manages backup processes and procedures (e.g., schedule, isolation, storage, testing, retention).

E11.190 The organisation manages a secure development lifecycle covering all development activities (e.g. software, web based applications, operational technology (Supervisory Control and Data Acquisition/Industrial Control Systems (SCADA/ICS)).

E11.200 The organisation manages security measures for enterprise mobility (e.g., mobile device management, working from home).


Standard 12 – Physical Security An organisation establishes, implements and maintains physical security controls addressing facilities, equipment and services.

Maturity assessment Current 2022 Target 2024 Aspirtation

Element assessment



Proposed Completion

E12.010 The organisation plans and documents physical security measures.

E12.020 The organisation applies defence-in-depth physical security measures.

E12.030 The organisation selects physical security measures commensurate with the business impact level of the information.

E12.040 The organisation has scalable physical security measures ready for activation during increased threat situations.

E12.050 The organisation implements physical security measures when handling information out of the office.

E12.060 The organisation manages physical security measures throughout their lifecycle.


Part C - Feedback to OVIC (optional) While this step is optional, your feedback provides us with important insights into the value of the tools and advice we provide to organisations implementing the Victorian Protective Data Security Standards (VPDSS).

Area Statement Disagree Mostly Disagree

Agree Mostly Agree

Strongly Agree

Org

anis

atio

n Se

curit

y Pr

actic

es

My organisation’s staff understand the requirements of our

internal security policies and procedures

My organisation’s contractors understand the requirements

of our internal security policies and procedures

My organisation’s staff and contractors understand what

security controls to apply when handling official information

My organisation’s staff and contractors are able to identify

and know how to report a security incident if one happens

My organisation’s third parties, with direct access to public

sector information, understand our organisation’s internal

security policies and procedures

PDSP

The Protective Data Security Plan was easy to complete

I felt supported by my parent entity in the completion of the

Protective Data Security Plan (leave blank if not applicable)

The PDSP provides good oversight of our information security

program to our executives

Res

ourc

es

The VPDSF resources provide adequate guidance

Information security resources are easy to locate on the OVIC

website

Specific information security communities of practice would

be beneficial

Victorian Information Security Network (VISN) forums and

events are effective

My agency would benefit from OVIC conducting more VISN

events are effective


27

What else can we do to help?

Would you like to work with OVIC on developing content that can be shared with other organisations?

Area Statement Disagree Mostly

Disagree Agree Mostly

Agree Strongly

Agree

VPD

SS

The VPDSS assist in addressing my organisation’s

information security risks

The VPDSS are easy to understand

The VPDSS scale well to meet the security needs of my

environment

The implementation of the VPDSS is seen as a

risk-based activity rather than a compliance activity

OVI

C In

form

atio

n Se

curit

y Te

am

Overall, the OVIC Information Security Team provides

excellent service

The members of the OVIC Information Security Team are

seen as subject matter experts in their field

The OVIC Information Security Team is responsive to my

questions or concerns


Part D - Attestation Attestation

This attestation is submitted to the Information Commissioner in accordance with s 8D(2)(b) of the Privacy and Data Protection Act 2014 and Standard 9 in the Victorian Protective Data Security Standards 2.0 (the Standards).

I am authorised to make this attestation to the Office of the Victorian Information Commissioner.

I, , verify that has implemented the key activities or is in the process of implementing key activities (either in progress or planned), as required by the Standards, which are issued in accordance with s 86(1) of the Privacy and Data Protection Act 2014 as part of the Victorian Protective Data Security Framework.

Print name:

Position:

Date:

(Check box)

29

Appendix A - Form field explanations Following is a description of each field, its purpose and list of possible options / responses.

Security program executive summary from the past 24 months This free text field is used to highlight a summary of achievements during the last 24 months that would be of interest to the public sector body Head and OVIC.

Challenges and barriers Please select the items that your public sector body Head and OVIC need to be aware of that may be inhibiting the implementation of your information security program.

Maturity assessment The security measures identified in your self-assessment are a demonstration of the extent of the security capability in your organisation. Once these capabilities are identified, you can assess the maturity of your organisation’s security measures. These maturity levels should be used as a guide that help direct focus on improvement activities and security investment designed to mature the organisation’s security capability.

The nature of capability maturity models is such that not every organisation will need to achieve the highest maturity level across each of the standards. The maturity levels will be dependent on the economic, efficient and effective use of the resources available to your organisation. To help organisations contextualise these maturity levels, the following maturity descriptions are provided12.

Value Description

Informal Processes are usually ad-hoc and undocumented. Some base practices may be performed within the organisation, however there is a lack of consistent planning and tracking. Most improvement activity occurs in reaction to incidents rather than proactively. Where practice is good it reflects the expertise and effort of individuals rather than institutional knowledge. There may be some confidence security-related activities are performed adequately, however this performance is variable and the loss of key staff may significantly impact capability and practice.

Basic The importance of security is recognised and key responsibilities are explicitly assigned to positions. At least a base set of protective security measures are planned and tracked. Activities are more repeatable and results more consistent compared to the ‘informal’ level, at least within individual business units. Policies are probably well documented, but processes and procedures may not be. Security risks and requirements are occasionally reviewed. Corrective action is usually taken when significant problems are found.

Core Policies, processes and standards are well defined and are actively and consistently followed across the organisation. Governance and management structures are in place. Risk assessment and management activities are regularly scheduled and completed. Historic performance information is periodically assessed and used to determine where improvements should be made.

Managed Day-to-day activity adapts dynamically and automatically in response to situational changes. Quantitative performance measures are defined, baselined and applied to ensure security performance is analysed objectively and can be accurately predicted in advance. In addition to meeting VPDSS requirements, the organisation also

12 Adapted from New Zealand Protective Security Requirements (PSR).


30

Value Description

implements many optional ‘better practice’ requirements in response to its risk assessment.

Optimised Security is a strategic issue for the organisation. Long-term planning is in place and integrated with business planning to predict and prepare for protective security challenges. Effective continuous process improvement is operating, supported by real-time, metrics-based performance data. Mechanisms are also in place to encourage, develop and test innovations.

Once you have completed the ‘element assessment’ under each of the standards in this form, take some time to review the combined/overall effectiveness of the controls implemented and take the average of these to determine your current maturity assessment for the standard.

Status

This field provides your organisation with a statement of applicability (SOA) and status of implementation against each of the VPDSS elements.

You should review each of the elements listed against each standard and select the appropriate status from the values provided. The following status descriptors are available:

Value Description

Not Commenced You have not yet defined or planned the work needed to meet the requirement. Alternatively, you have started work but there are significant risks it cannot be completed.

Planned You have a program of work in place that includes work to meet the requirement;and the program is appropriately planned and resourced.

Partial You have delivered some of the elements needed to meet the requirement. Remaining work is underway and progressing as planned.

Implemented You currently meet the requirement.

As a general rule, most of the elements will apply and only a few may not. The security value of the organisation’s information assets should be considered when determining whether an element is applicable or not, as some of the elements are scalable based on the security value of the asset they are protecting. For example, elements related to specific topics13 such as:

• PER-060 Organisations with roles handling security classified information or requiring high assurancedevelop security clearance policies and procedures

• PER-070 Organisations with roles handling security classified information or requiring high assuranceundertake additional personnel screening measures commensurate with the risk

13 VPDSS 2.0 -Standard 10 Personnel Security

Not Applicable. Not Applicable



If you assess an element as not being applicable to your organisation, please select “Not Applicable” from the drop-down list. Any elements deemed not applicable must be accompanied by a rationale explaining why it is not applicable. “Not Applicable” and “Not Commenced” are not valid fields in Standard 9.

Entity Risk Ref(s)

Depending on the maturity of an organisation’s risk management framework and processes, security risks will be managed in either the sample VPDSF Security Risk Profile Assessment (SRPA) template or your organisational risk register. The purpose of this field is to identify the organisational risk reference that the implemented control(s) addresses.

For example, it is expected that an organisation has at least one information security risk registered in its risk register. For further guidance on risk management please refer to Chapter One of OVIC’s Assurance Collection – Protective Data Security Risk Profile Assessment.

Risk Reference

Free text field for referencing risk(s) that the control is treating.


The VPDSS Elements are a list of high-level outcomes and serve two purposes, to:

• modify risks; and

• be implemented in order to meet the objectives of the Standards.

Each element has been derived from various sources (control references), and provides guidance on particular security controls that can assist organisations implementing the Standards.

OVIC recognises that some organisations may have already implemented controls to mitigate their security risks, beyond those described in the VPDSS primary sources (control references).

As the VPDSF promotes a risk-based approach, OVIC accepts alternative control libraries that support the intent of each standard and positively modify organisational risks. Should organisations wish to use these alternative control libraries, they must provide (at a minimum) functional equivalency to what the VPDSS primary source (control reference) describes.

Below is a list of popular control libraries that are in use:

Control Library Description

VPDSSE Victorian Protective Data Security Standard Element

For organisations that determine the element is descriptive and inclusive enough as a control.

ISM Australian Government Information Security Manual

The Australian Government Information Security Manual is a suite of controls designed to help Government agencies apply a risk-based approach to protecting their information and ICT systems. It helps organisations use their risk management framework to protect information and systems from cyber threats.


32

Control Library Description

NIST National Institute of Standards and TechnologyCybersecurity Framework

This Framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk.

AS ISO/IEC 27002:2015

Information technology - Security techniques - Code of practice for information security controls

The ISO/IEC 27000-series comprises mutually supporting information security standards that together provide a globally recognised framework for best-practice information security management.

No descriptor Other A control library that is not listed.

Proposed Completion Enter the financial year the VPDSS element is expected to be implemented. This column is used to prioritise the list of activities by financial year. If you have a number of programs or activities that address the element, that span multiple years, please select the latest completion date.

If the activities have been completed, please select “Completed”.

AttestationThe 'person authorised by the public sector body Head to submit a copy of this PDSP' must submit a copy of this PDSP via email, post, or in person, and not delegate this task to another person.

Documents

Protective Data Security Plan (PDSP) › wp-content › uploads › 2019 › 11 › ... · 1.1 Feb 2018 • High Level Protective Data Security Plan (Word document) replaced. •