The Victorian Protective Data Security Standards (VPDSS) establish 18 high level mandatory requirements to protect public sector information across governance and the four domains of information, personnel, ICT and physical security. The VPDSS are consistent with national and international standards and describe the Victorian Government’s approach to protecting public sector information. They focus on the outcomes that are required to enable efficient, effective and economic investment in security measures through a risk-managed approach.
The standards cover governance and the four security domains:
- Governance (e.g. executive sponsorship of and investment in security management, utilising a risk based approach, security policies and procedures, training, business continuity, security incident management, external party engagement and oversight).
- Information security (e.g. protection of information across the information lifecycle from when it is created to when it is disposed or destroyed).
- Personnel security (e.g. engagement and ongoing management to ensure the continued eligibility and suitability of people accessing official information).
- ICT security (e.g. secure communications and technology systems processing or storing information)
- Physical security (e.g. secure physical environment i.e. facilities, equipment and services and the application of physical security measures to protect information).
Each standard is supported by four protocols. This follows the continuous improvement process of plan, do, check, and act. This approach encourages your organisation to continually assess your security controls against any new or updated threats and vulnerabilities.
- take into account the policy and operational responsibilities of the Victorian government
- respect the important role that Victorian public sector organisations play in delivering services
- reflect national and international approaches to security but are tailored to the Victorian government environment
- focus on the security of public sector information
- identify information security and ICT security as individual yet equally important security domains
- require contracted service providers with direct or indirect access to information to adhere to the standards.
The standards support a risk management approach that empowers government business to identify and manage its unique risks. This in turn informs good decision making, supports the achievement of business objectives, and effective information sharing whilst protecting public sector information.
Issue of the Standards
The VPDSS were formally issued on 26th July 2016.
The issue of the standards follows the approval and sign off by the Special Minister of State, Gavin Jennings and the formal issue by the then Commissioner for Privacy and Data Protection. A copy of these signatories can be found here.
You can download copy of the VPDSS from the links below.