We recommend installing Microsoft Edge, Google Chrome, Safari, Firefox, or Opera to visit the site.
Information Security Resources
This section contains a suite of resources to help Victorian public sector organisations in understanding and implementing the Victorian Protective Data Security Framework and Victorian Protective Data Security Standards.
Latest updates
Security Insights The Incidents Insights Report for Jan to June 2024 been published Updated 17/10/2024
Using the VPDSS to assist with CIRMP obligations has been published Updated 21/08/2024
Victorian Protective Data Security Standards Implementation Guidance has been published Updated 27/02/2024
Public Statement: Use of Microsoft 365 Copilot in the Victorian public sector has been published Updated 21/10/2024
Victorian Protective Data Security Framework
The Victorian Protective Data Security Framework (VPDSF) provides direction to Victorian public sector (VPS) agencies or bodies on their data security obligations. Reflecting the sector’s unique operating requirements, it will build security risk management capability and maturity through the use of existing risk management principles and guidelines.
Victorian Protective Data Security Standards
The Victorian Protective Data Security Standards (VPDSS) establish 12 high level mandatory requirements to protect public sector information across all security areas including governance, information, personnel, Information Communications Technology (ICT) and physical security.
Introductory resources
Below is a list of videos, guides and information sheets which will help Victorian public sector staff if they are new to information security.
Executives
Public sector body Heads have legislative accountability for the information security practices of their organisation under the PDP Act. The below guidance can help with gaining executive sponsorship and buy-in.
A video series created for VPS organisations and personnel with access to public sector information, providing an overview of information security, organisations' applicability under the Privacy and Data Protection Act, the VPDSS, and your information security responsibilities.
Does the VPDSF apply to your organisation?
This guide summarises which VPS organisations are subject to Part 4 of the Privacy and Data Protection Act 2014.
This document outlines practical activities designed to assist organisations in managing information security risks.
Information Sheet: Guiding Principles
This information sheet outlines the guiding principles of the VPDSF and VPDSS to help VPS organisations evaluate their current and prospective security practices.
Information Sheet: Partnering Entities
OVIC partners with a range of VPS organisations on information security. This information sheet outlines the functions of these organisations and their relationship to the VPDSF and VPDSS.
Information Security General Executive Briefing Pack
This briefing pack can be used to brief executives and leadership on Parts 4 and 5 of the PDP Act and obligations under these parts of the PDP Act only.
Information Sheet: Top Questions for the Audit and Risk Committee Members
This document provides suggested questions to pose to an Audit and Risk Committee to identify how an organisation's information security program is progressing.
Information Sheet: Information Security Leads
This information sheet provides guidance on the important role that information security leads play in implementing the VPDSF and VPDSS.
Victorian Protective Data Security Standards Guidance
The below guidance helps VPS organisations with implementing understanding and implementing the VPDSS.
Identifying and Recording Information Assets
The below guidance helps VPS organisations to ensure information assets are identified, managed and maintained effectively.
VPDSS Implementation Guidance (including VPDSS Elements)
This guide was designed to help VPS organisations implement the VPDSS, outlining the VPDSS Elements and providing additional related reference material.
Implementation Guidance for Industrial Automation and Control Systems
This guidance helps organisations that operate Industrial Automation and Control Systems (IACS) with applying the Victorian Protective Data Security Standards (VPDSS) to those environments.
This document defines the terms and acronyms used in the VPDSS and VPDSF material.
High-level mapping of VPDSS V2.0 to V1.0
This reference document maps the former V1.0 Standards to the current V2.0 Standards.
Detailed mapping of VPDSS Elements - V2.0 to V1.1
This reference document provides a detailed mapping of the former V1.1 Standards and Elements to the current V2.0 Standards and Elements.
Using the VPDSS to assist with CIRMP obligations
This document provides VPS organisations that have reporting obligations under the SOCI Act to utilise the VPDSS to fulfil some of their CIRMP requirements.
Practitioner Guide: Identifying and Managing Information Assets
This Practitioner Guide provides guidance on conducting an information review, defining information assets and establishing an Information Asset Register.
Template: Sample Information Asset Register
This template is designed to help organisations develop an Information Asset Register or enhance their existing one.
Assessing the Security Value of Information
The below guidance were designed to help VPS organisations to perform information security value assessments, which are important to understand the security value of public sector information.
Applying Protective Markings
The below guidance provides an overview of protective markings; visual security labels that signify the confidentiality requirements of public sector information, and how to securely handle this material.
Practitioner Guide: Assessing the Security Value of Public Sector Information
This Practitioner Guide provides guidance on conducting an information security value assessment and determining the overall security value of public sector information using Business Impact Levels.
VPDSF Business Impact Level Table
This document outlines Business Impact Levels (BILs) and provides examples of potential impacts across different categories. VPS organisations should use this resource to create their own contextualised BIL table.
This app was designed to help users conduct a general information security value assessment by presenting the Business Impact Level table in a digital, sequenced format. VPS organisations should refer to their own contextualised BIL table in the first instance.
Train the Trainer Resource: Protective Markings
This resource was developed to assist Information Security Leads in rolling out Protective Marking training across their organisation.
Practitioner Guide: Protective Markings
This Practitioner Guide explains the current protective marking scheme, including what protective markings are and what they should be applied to.
User Guide: Handling Protectively Marked Information
This User Guide provides guidance on how to manage protectively marked information and can be used by VPS organisations when explaining protective markings to their users.
This two page visual representation consists of a high-level flowchart guiding users in their selection of a protective marking, and an indicative mapping between the old protective markings and the current scheme.
VPDSF Technical Specification Email Protective Markings
This document defines the technical implementation of email protective markings for VPS organisations and is designed for practitioners and information security leads.
Information Security Risk Management
The below guidance can help VPS organisations with their responsibility to effectively identify and manage information security risks across the information lifecycle.
Information Security Incident Management
Information security incidents involve compromises to government information and/or systems and take many forms. The below guidance can help VPS organisations with the development and maintenance of systems to address and manage incidents, including notifying OVIC.
Practitioner Guide: Information Security Risk Management
This Practitioner Guide explains the fundamentals of security risk management helping organisations undertake a Security Risk Profile Assessment (SRPA).
Practitioner Guide: Control Analytics
This Practitioner Guide provides guidance on a quantitative approach to validate the appropriateness and effectiveness of selected controls and manage security risks.
Risk Scenario 1 - Cloud Service Case Study
This case study focuses on risks associated with cloud-based services and is designed to help organisations conduct security risk assessments.
Risk Scenario 2 - Legacy Systems Case Study
This case study focuses on risks associated with legacy systems and is designed to help organisations conduct security risk assessments.
Risk Scenario 3 - Personnel Security Case Study
This case study focuses on risks associated with personnel security and is designed to help organisations conduct security risk assessments.
Practitioner Guide: Developing an Information Security Incident Management Framework V2.0
This Practitioner Guide provides guidance on a comprehensive approach to information security incident management to address Standard 6 of the VPDSS.
Information Sheet: OVIC Information Security Incident Notification Scheme
This information sheet provides an overview of OVIC's information security incident notification scheme including when and how to notify OVIC.
Form: OVIC Information Security Incident Notification Form
Organisations should use this form to notify OVIC of an information security incident.
Significant Change
When VPS organisations experience a significant change to their operations, their protective data security obligations may change as a result. Organisations who undergo a significant change have legislative obligations under Part 4 of the PDP Act.
Security Insights
OVIC conducts monitoring and assurance activities in accordance with the PDP Act, the Standards and the Framework. The below resources contain useful security insights for VPS organisations.
Information Sheet: Significant Change Notification Process
This information sheet outlines what may constitute a significant change, and OVIC's expectations of organisations that have undergone a significant change.
Form: Notification to the Information Commissioner of Significant Change
VPS organisations that have undergone a significant change should notify OVIC using this form.
OVIC publishes Incident Insights Reports that provide an overview and analysis of incident notifications received by OVIC under the information security incident notification scheme.
Protective Data Security Plan Insights
OVIC publishes statistics and general insights drawn from Protective Data Security Plans (PDSPs). These insights and observations include general trends and themes observed across the VPS, a breakdown of implementation status of each Standard by WoVG vs. portfolio and next steps for OVIC and VPS organisations.
Local Government Authorities
Local Government Authorities hold the personal information of many Victorians and have information security obligations under the PDP Act.
Class B Cemetery Trusts
Class B Cemetery Trusts hold sensitive information about many Victorians and have specific information security obligations under the PDP Act.
Information Sheet: Local Government Obligations under Part 4 of the PDP Act
This information sheet outlines the information security obligations of local government organisations under the VPDSF and VPDSS.
Information security tips for Class B Cemetery Trusts
This page contains useful guidance for Class B Cemetery Trusts including on third-party providers and more.
Victorian Information Security Network
The Victorian Information Security Network is a platform for stakeholders across government and industry to discuss data protection issues and initiatives.
Information Security Management Framework
A governance resource that articulates the information security management approach of the organisation.
This page contains resources from Victorian Information Security Network forums.
Template: Security Management Framework
This template can help organisations to develop a Security Management Framework, or improve any existing security management frameworks to ensure core areas are addressed.
Archived content
Below is a list of archived publications that are no longer current, but may contain useful reference material.
This document map provides a visual representation of OVIC's suite of information security guidance and highlights how each of the resources relate to one another.
This document defines the terms used in the VPDSS.
Victorian Protective Data Security Obligations During COVID-19
This information sheet addresses three frequently asked questions on information security during COVID-19.
This document contains questions and answers from the VPDSS V2.0 consultation period in November 2019.
Roundtables on Transition to New Protective Marking Scheme
A summary of questions posed to OVIC's Information Security Unit during the September 2020 round tables in support of the transition to the new protective marking scheme.
VPDSF: Rosetta Stone - Core and Supplementary
A mapping of the VPDSS against existing security standards adopted by VPS organisations.
The VPDSS 1.0 establish 18 high level mandatory requirements to protect public sector information across governance and the four domains of information, personnel, ICT and physical security.