OVIC’s regulatory approach
OVIC employs an outcome-focused regulatory model. It concentrates on high-level assurance principles, supported by risk-informed monitoring activities. This model is aimed at delivering efficient, effective and economic security outcomes, is scalable in its implementation, and is backed by firm enforcement action where required.
In support of this regulatory approach, OVIC educates and supports VPS organisations, promoting understanding of the PDP Act and adherence to the Standards. Given this, the monitoring and assurance activities outlined in the Framework are typically based on a coordinated approach between OVIC and VPS organisations.
Nevertheless, OVIC has a legislative function to monitor organisational compliance with the PDP Act and adherence to the Standards. OVIC is also required to provide the Victorian Government with a level of assurance around the state of information security across the VPS.
The monitoring and assurance activities outlined in the Framework are based on a scalable approach including consultation, engagements, site walk-throughs and reviews, and more formal audits or investigations if warranted. These activities aim to drive improvements in information security practices, using a continuous improvement model1.
OVIC’s Regulatory Action Policy articulates the conditions under which OVIC led monitoring and assurance activities may be triggered. For a full outline of OVIC’s regulatory assurance functions, powers and associated triggers, refer to the Regulatory Action Policy available on the OVIC website.
Overview of OVIC’s monitoring and assurance activities
As an information security regulator, OVIC has a duty to oversee and support VPS organisations’ adherence to the Standards and Framework, as well as compliance with the PDP Act.
To fulfil its regulatory functions OVIC performs a variety of monitoring and assurance activities, designed to:
- foster confidence in the information security practices of Victorian Government;
- uplift VPS organisations’ information security capability and maturity;
- promote accountability, integrity and continuous improvement within the VPS regarding information security;
- empower risk-based decisions within the VPS regarding information security practices;
- measure e?ectiveness, e?ciency and economic implementation of information security practices within the VPS;
- support VPS organisations’ compliance with requirements of Part 4 of the PDP Act and adherence to the Standards;
- verify and validate VPS organisations’ information security practices;
- investigate breaches of the Standards or PDP Act; and
- regulate the information security environment across the Victorian public sector.
By conducting these monitoring and assurance activities, OVIC can identify trends and themes in information security, issue advice or recommendations to VPS organisations, and report to government on the state of information security across the VPS.
Outline of OVIC’s monitoring activities
OVIC’s monitoring and assurance activities include:
- clarifying requirements of the PDP Act;
- assisting with enquiries regarding the intent of the Framework and Standards;
- overseeing VPS organisations’ application of the Standards, adherence to the requirements of the Framework and compliance with Part 4 PDP Act obligations;
- maintaining oversight of information security incident notifications;
- hosting awareness sessions in support of the Framework and Standards;
- facilitating an outreach program through its business engagement officers;
- conducting site walk-throughs, preliminary enquiries or reviews of a VPS organisation’s information security practices;
- staying abreast of information security trends and themes;
- identifying emerging issues and proactively consulting with VPS organisations on these matters; and
- ensuring the Standards are as consistent as possible with standards relating to information security (including international standards2).
In addition to this, OVIC regularly reviews its own information security product suite (Framework, Standards and supporting material) to validate the content and its currency. These reviews occur:
- on an annual basis;
- as the threat environment changes;
- if there are legislative or administrative changes to intersecting products that highlight the need for a review of the Framework or Standards; and/or
- as required.
Risk-prioritised monitoring and assurance activities
OVIC takes a risk-prioritised approach in scoping its assurance activities, considering:
- the security value of the VPS organisation’s information;
- their security risk profile;
- the VPS organisation’s control environment;
- notifications of any information security incidents of the VPS organisation; and
- the harm or damage that the PDP Act aims to reduce.
OVIC subsequently applies assurance resources to areas where:
- the risk is deemed the greatest; or
- the harm or damage would have the greatest impact.
Each of these factors help OVIC make informed decisions regarding the type, nature, scale, priority and timing of relevant monitoring and assurance activities. These monitoring and assurance activities include:
- consultations with VPS organisations;
- outreach activities via business engagement officers;
- research projects and initiatives;
- monitoring developments in national and international standards;
- monitoring the current threat environment;
- information security incident notifications;
- review of VPS organisational PDSP reporting;
- failures by VPS organisations to report; and
- referrals from other regulators or administrative bodies.
Outcomes of these monitoring activities inform subsequent assurance activities, such as:
- site walkthroughs;
- conducting an audit;
- undertaking an investigation;
- referring a matter, or findings, to a partnering regulatory or administrative body;
- reporting to government on VPS organisational compliance with the PDP Act, or adherence to the Standards and/or Framework;
- reporting to a Minister on an information security matter; or
- publishing a public report on an information security matter.
VPS organisations are expected to cooperate during any monitoring and assurance activity led by OVIC.
Referral of findings or matters
Information obtained by OVIC can be referred to responsible parties (i.e. Victoria Police, Independent Broad-based Anti-Corruption Commission, Cyber Safety Unit) for urgent investigation or attention.
- Refer to Info Sheet: Guiding Principles of the Framework and Standards available under the VPDSF resources section of the OVIC website
- Division 2, Section 85 (2) of the PDP Act