Vic govt gets new cyber security rules

Victoria's infosec and privacy watchdog has handed down a new set of cyber security rules that will force agency chiefs to attest to their compliance with minimum infosec standards each year.

The plan [pdf] - known as the Victorian protective data security framework (VPSDF) - comes two-and-a-half years after the previous Victorian government promised the state a formal strategy authored by infosec veteran Alastair MacGibbon.

For the last four years the state’s information protection regime has been governed by a hazy reference to the Commonwealth’s information security manual - a policy some public sector organisations have admitted they were never even aware of.

The state’s auditor-general made a number of disparaging findings about lax security practices within the public sector in that time.

But backed with new data protection legislation passed in 2014, the Commissioner for Data and Privacy Protection, David Watts, has now formally released new rules that will allow his office to keep tabs on how agencies are treating the data they hold about Victorians.

Under the new regime, central government agencies will have two years to conduct a risk profile assessment of their own level of vulnerability and write a formal data security plan in response.

Each year from then on, agency heads will need to attest to their compliance with the 18 demands of the protective data security framework in their day-to-day operations.

But the framework hints the commissioner won’t necessarily stop there.

The new security rules also oblige agencies to give the watchdog's investigators “free and full access to data or data systems when requested” and to hand over documents when requested.

The framework itself, however, is light on prescriptive or practical demands on how agencies should actually build security into their systems and operations.

Instead, it lists a number of documents and policies it expects applicable agencies will have in place, including:

• An organisation-specific security management framework, plus policies and procedures to see it embedded into day-to-day business practices, preferably aligned to ISO/IEC 27001
• An access management regime governing how who can access data and how
• Mandatory security training for staff and awareness programs centred on their data handling obligations
• A formal incident management plan
• A business continuity management plan, and 
• Contract terms that ensure third party suppliers also comply with Victorian data standards when they come into contact with public sector information.

In most cases, the framework asks that the plans comply with globally recognised security standards or Commonwealth security guidance like the information security manual (ISM) issued by the ASD.

It says all plans should have an appointed executive sponsor, but offers smaller agencies a little bit of leeway with the caveat that procedures should be built “proportionate to their size, resources and risk posture”.

The release of the strategy follows the debut of the Victorian Labor government's first IT strategy in May.