WA should take note of Victoria's new security framework

Just a few weeks after WA’s auditor general reported that the state government was still failing to meet even the most basic of infosec standards, its neighbour over in Victoria has upped the game.

The Victorian protective data security framework (VPDSF) [pdf] has finally been published, two-and-a-half years after it was initially promised, marking a step change for state governments in Australia.

Prior to its introduction, as with most other states, the only assurance frameworks governments alluded to comprised loose references to the federal government’s Protective Security Policy Framework (PSPF), the Australian Signals Directorate’s Information Security Manual (ISM) and the international security standard, ISO 27001.

Publication of the VPDSF is a massive step forward for the Victorian government, showing determined cyber security leadership from central government while offering a progressive information assurance framework that can be used as a benchmark for all other states.

Take note, WA.

Under the new rules of the VPDSF, Victorian government agencies will have two years to carry out an organisation-wide information security risk assessment, designed to expose any vulnerabilities and issues with their baseline controls.

This will allow agencies to write a formal data security plan that clearly shows how they will deal with their inadequacies and fix the problems. After establishing the initial baseline, compliance must be attested to each year by agency heads, where they will be required to meet all 18 standards listed within the VPDSF.

What’s interesting is that the 18 standards listed in this document are nothing new to the information security industry. Starting with the first three standards, agencies will be required to do the following:

• Establish an appropriate information security management framework, more than likely based on ISO 27001;
• Utilise a risk management framework to manage security risks; and
• Establish, implement and maintain security policies and procedures proportionate to their size, resources and risk posture.

The use of ISO 27001 comes as no surprise, especially since government organisations all over the world are adopting it as the preferred security management system. ISO 27001 is flexible enough to allow you to use your own control set and manage the scope accordingly, so as long as you meet all the primary objectives of the security management system, you’re all set.

The VPDSF also suggests that the approach to risk management should align with both the Victorian government risk management framework (VGRMF) and ISO 31000. This shows a keen adoption of international standards, allowing for a much more flexible approach to implementation, since it’s more likely that they’ll be able to hire security professionals with at least the standards-based experience.

Thirdly, building a comprehensive information security corpus of policies and procedures will allow agencies to develop security requirements that can be pushed into all projects, live running systems, and even physical controls that can be audited against for government buildings and facilities.

Standard 6 calls for the establishment of a security training and awareness program, which is also one of the critical controls required under ISO 27001. 

Many of the other controls directly align with ISO 27001, so it should be relatively easy to adopt a program of work that implements this standard, with a simple mapping to the underlying VPDSF protocols to ensure everything is covered.

Standard 14 contains an important set of protocols, stating "an organisation must establish, implement and maintain information security controls in their information management framework".

The controls that are referenced are not those contained within ISO 27002, as they are in other standards in this document; instead this one refers to the federal government’s PSPF and, in particular, to the ISM.

The framework also leans on the ISM and PSPF for the management of IT resources in standard 17.

This is a great framework for improving information security in Victoria. What’s most heartening is that the Victorian government has shown leadership in fixing the issues we’ve seen time and time again with state government security.

Let’s hope this is the beginning of a new trend that sees other states follow suit.