VPS organisations’ obligations
VPS organisations are required to conduct their own monitoring and assurance activities in accordance with:
These monitoring and assurance activities track a VPS organisation’s exposure to information security risks and articulate how they plan to identify, mitigate or manage these risks.
The monitoring and assurance activities outlined in this Framework are based upon a capability maturity model (CMM). Using CMM, OVIC expects VPS organisations to monitor their progress, and assess their adherence to the Standards, nominating both a current and target maturity rating.
This model helps VPS organisations assess their existing information security capabilities, as well as identify opportunities to improve through the nomination of target maturity ratings.
Accountability of the public sector body Head
Public sector body Heads are ultimately accountable for the monitoring and assurance activities of their VPS organisation.
The public sector body Head is also required to seek their own form of assurance from any CSP/ third party with access to3 the VPS organisation’s public sector information.
When developing a monitoring and assurance program, the public sector body Head (or delegate) should seek input from internal subject matter experts and relevant external stakeholders. These stakeholders could include:
- originators of information assets, information owners, stewards, custodians, users or administrators;
- local work unit managers;
- procurement teams / managers;
- risk managers; internal / external auditors;
- information security practitioners; information security leads;
- contracted service providers; and
- partnering organisations.
Compliance obligations of VPS organisations
Sections 88 and Section 89 of the PDP Act outline the compliance obligations of VPS organisations with respect to the Standards, and require VPS organisations to:
- undertake a SRPA; and
- develop a PDSP and submit a copy to OVIC.
OVIC also requires VPS organisations to constructively assist OVIC in performing any monitoring and assurance activities. This includes assisting OVIC by providing free and full access, at all reasonable times, to public sector information or systems4.
What is a Security Risk Profile Assessment (SRPA)?
A SRPA is a four-stage process that enables VPS organisations to identify, analyse, evaluate and treat information security risks.
A VPS organisation should undertake a SRPA regularly (at least annually). The SRPA process must include assessments of third parties that deal with public sector information for the VPS organisation, for example, contracted service providers5.
The outcomes of a SRPA should be documented in a VPS organisation’s risk register.
The SPRA process facilitates efficient, effective and economic investment decisions to meet both business objectives and in the selection and implementation of controls.
For more information about how to undertake the SRPA process, refer to Practitioner Guide: Information Security Risk Management available under the VPDSF resources section of the OVIC website.
What is a Protective Data Security Plan (PDSP)?
A PDSP is a reporting tool, used by VPS organisations to:
- advise OVIC of their maturity level, and implementation status of the Standards, referencing information security risks as identified as part of the SRPA process;
- articulate the VPS organisation’s security profile6; and
- attest to the implementation activities as required by the Standards.
This formally endorsed document is OVIC’s primary information source, to assess the state of information security across the VPS. Consequently, it is essential for VPS organisations to accurately self-report in their PDSPs.
To download a current copy of the PDSP template, please refer to the Agency reporting obligations page on the OVIC website.
Timeframes and deliverables in practice
VPS organisations operate under a reporting cycle that provides VPS organisations time to complete the necessary deliverables in accordance with the PDP Act and the Standards. The following table sets out the reporting cycle with associated timeframes and deliverables.
|1||Undertake (and/or) update a SRPA for the organisation||Annual
|2||Provide OVIC with an Attestation by the public sector body Head.||Annual|
|3||Submit a PDSP (including an Attestation) by the public sector body Head||Biennial
(every 2 years)
|4||Submit an updated PDSP to OVIC within an agreed timeframe,
if there is significant change to the:
• operating environment of the VPS organisation; or
• security risks relevant to the VPS organisation.
|In consultation with OVIC|
|5||Notify OVIC of any information security incidents that compromise the confidentiality, integrity or availability of public sector information, with a ‘limited’ business impact or higher, on government operations, organisations or individuals||As required|
Developing an organisational monitoring and assurance program
Information security monitoring and assurance programs will differ depending on the VPS organisation. There are a variety of factors that can influence the scope and subsequent delivery of these activities, including the size, nature and complexity of the VPS organisation.
Scoping an organisational monitoring and assurance program
In order for a VPS organisation to develop a robust plan to mitigate or manage these, they must first establish a detailed appreciation of:
- the security value7 of their information assets;
- the risks posed to these information assets; and
- the effectiveness of the security controls that are currently in place.
- VPS organisations should remain mindful of the ongoing need to continually monitor:
- their information security programs;
- their adherence to the Standards;
- CSPs’ adherence to the Standards;
- obligations under the Framework; and
- compliance with the PDP Act.
In support of these requirements, OVIC recommends VPS organisations reference the Five Step Action Plan.
Five step action plan
|wdt_ID||Step 1||Step 2||Step 3||Step 4||Step 5|
|1||Identify your information assets||Determine the ‘value’ of this information||Identify any risks to this information||Apply security measures to protect the information||Manage risks across the information lifecycle|
For more information on the Five Step Action Plan, refer to the VPDSF resources section of the OVIC website.
Contracted service provider / third party assurance
VPS organisations should seek advice and input from partnering entities and relevant stakeholders (including CSPs and other government organisations) who have direct, or in-direct access to the VPS organisation’s information assets. These parties can introduce new risks when handling public sector information which need to be identified and captured as part of the VPS organisation’s SRPA, and subsequently managed via the VPS organisation’s PDSP.
VPS organisations may consider taking a risk-prioritised approach when scoping third-party assurance activities. Prior to entering into any third-party arrangement, it is expected that the VPS organisation undertakes an information security risk assessment of the third party’s service offering and addresses any residual risks prior to finalising the arrangement.
When undertaking this assessment, VPS organisations should take into account:
- the type, nature and priority of the third-party arrangement;
- the security value of the information accessed or used under that arrangement; and
- the level of access and ongoing oversight of the CSP or third-party throughout the engagement.
- Once an engagement is in place, VPS organisations may seek ongoing assurance via scalable activities such as:
- obtaining a ‘letter of comfort’/annual confirmation letter/self-assessment;
- conducting a desktop audit of processes and practices;
- conducting an onsite audit; and/or
- undertaking an investigation.
Undertaking organisational monitoring and assurance activities
VPS organisations are expected to perform the following monitoring and assurance activities to help demonstrate their adherence to the Standards and Framework, as well as their compliance with the requirements in the PDP Act. These activities include:
- assessing the security value of their information assets8;
- undertaking a SRPA (at least annually);
- reviewing, validating and updating internal control libraries9 (including validating the appropriateness of security controls);
- developing a PDSP that:
- assesses the information security capability of the VPS organisation;
- summarises their progress towards implementation of the Standards; and
- provides a level of assurance to OVIC that the they are making progress towards improving information security;
- reviewing their PDSP at least every two years (or sooner if there is significant organisational change);
- monitoring for information security incidents and notifying OVIC if required under the Information Security Incident Notification Scheme10; and
- providing assurance through Attestation to OVIC (annually).
- As outlined under Section 88(1) and (2) of the PDP Act
- As outlined in Standard Nine – Information Security Reporting
- This includes where a third party collects, holds, uses, manages, discloses or transfers public sector information on behalf of the VPS organisation, as outlined in Section 88 and 89 of the PDP Act.
- s106, 109, 110 of the PDP Act
- As outlined under s89 (2) of the PDP Act
- Part A of the PDSP template contains a section for an ‘Organisation Profile Assessment’. For a current copy of the PDSP template, refer to the VPDSF resources section of the OVIC website.
- For more information on this activity, refer to Practitioner Guide: Assessing the Security Value of Public Sector Information available under the VPDSF resources section of the OVIC website
- For more information on this activity, refer to Practitioner Guide: Assessing the Security Value of Public Sector Information available under the VPDSF resources section of the OVIC website.
- An internal control library is a collection of documented specific security measures as selected by the VPS organisation. This internal control library is based on the VPDSS Elements and the organisation’s unique operating requirements.
- VPS organisations must notify OVIC of incidents that compromise the confidentiality, integrity or availability of public sector information with a ‘limited’ business impact (BIL of 2) or higher on government operations, organisations or individuals, as soon as practical and no later than 30 days after an incident has been identified. To download a current copy of the incident notification form and corresponding instructions, refer to the Incident Notification section of the OVIC website.