OVIC Information Security Incident Notification Scheme
What is the scheme?
The information security incident notification scheme has been developed to centrally coordinate notification of information security incidents (incidents) within Victorian government. It is established under Element E9.010 within the Victorian Protective Data Security Standards (VPDSS) that states:
The organisation notifies OVIC of incidents that have an adverse impact on the confidentiality, integrity, or availability of public sector information with a business impact level (BIL) of 2 (limited) or higher.
Where information assets have been assessed as BIL 2 or higher, organisations should notify OVIC of any incidents that compromise the confidentiality, integrity and/or availability (CIA) of that material.
If the information has not been assessed and/or assigned a BIL rating yet, but an incident occurs, we strongly encourage you to contact OVIC to discuss.
For more information on how to assess an information asset refer to VPDSF Practitioner Guide: Assessing the Security Value of Information.
What is an information security incident?
An information security incident is defined as
‘one or multiple related and identified security events that can harm/damage an organisation, its assets, individuals or compromise its operations. Information security incidents may take many forms, such as compromises of electronic information held on government systems and services and include information in physical formats (e.g., printed, photographs, or recorded information either audio or video) and verbal discussions.’
Information security incidents can take the form of privacy breaches.
Who can notify OVIC when an incident occurs?
OVIC will accept notifications from anyone. The representative may be an information security lead (ISL), privacy officer, Chief Information or Security Officers (CIO, CISO), legal officer or public sector body Head.
For representatives submitting a notification on behalf of their organisation, please follow your incident management authorisation process to avoid duplicate submissions for the same incident.
What sort of incidents should I notify OVIC of?
Under element E9.010, VPS organisations should notify OVIC of incidents that have an adverse impact on the confidentiality, integrity or availability of public sector information with a business impact level (BIL) of 2 (limited) or higher.
This includes information with a protective marking of OFFICIAL: Sensitive, PROTECTED, Cabinet-In-Confidence or SECRET. Refer to your organisation’s BIL table or the VPDSF BIL table to assess the potential business impact level.
Incidents may take many forms. They are not just limited to compromises of electronic information held on government systems and services, but also include compromises of information held in physical formats (e.g., printed, photographs, recorded information either audio or video) or unauthorised verbal discussions. For example, the following scenarios would qualify as an incident:
- leaving a sensitive hard copy document on public transport
- someone tailgating personnel into a secure area where sensitive documentation is kept, and/or
- a sensitive conversation being overheard in a public cafe by a member of the public.
If the incident is of a criminal nature, or involves fraud/corruption, please follow your organisation’s policy on reporting these types of incidents to the relevant bodies.
The table below provides further examples of the types of incidents that OVIC should be notified about.
| wdt_ID | Examples of incidents affecting public sector information | Control area | Security attribute |
|---|---|---|---|
| 21 | Sending an email to incorrect email recipient | People/process | Confidentiality |
| 23 | Hard copy document/file left on public transport | People/ process | Confidentiality/ Availability |
| 24 | Tailgating into a secure area and accessing documents left on someone’s desk | Process | Confidentiality |
| 25 | Ransomware installed on a desktop restricting access to information | Technology | Availability |
| 26 | Incorrect protective marking placed on a document leading to mishandling of information | People | Confidentiality |
| 27 | A break-in to a facility and stealing information | Process | Confidentiality/ Availability |
| 28 | A conversation being held in a public area that can be easily overheard | People | Confidentiality |
| 29 | Viewing information on an unlocked screen by someone who does not have a ‘need-to-know’ | Process | Confidentiality |
| 30 | Looking at documents left on a printer | People | Confidentiality |
| 31 | Incorrectly disposing of hard copy documents in recycling bin | People/ process | Confidentiality |
| 32 | Documents found in an unused cabinet/vacated premises | Process | Confidentiality |
| 33 | Information found on a decommissioned laptop/computer at a second-hand store | Process | Confidentiality |
| 34 | Information found on a lost unencrypted USB key | Process | Confidentiality/ Availability |
| 35 | Personnel undertaking unauthorised activity on systems e.g., manipulating/changing data on a database | People | Integrity |
| 36 | Disclosing classified information at a social gathering | People | Confidentiality |
| 37 | Hacker exfiltrating sensitive information to an external system | Technology | Confidentiality |
| 38 | Outsider launching a denial-of-service attack on a website | Technology | Availability |
Remember, your organisation’s Business Impact Level (BIL) table should be used as a guide to inform your notification obligations in relation to an incident. If the information affected by the incident has a security value of 2 (e.g., OFFICIAL: Sensitive) or higher assigned to it (regardless of the severity of the actual incident), notification is required.
For more information on how to conduct a security value assessment and determine the BIL value of the information affected in an incident please refer to Practitioner Guide: Assessing the security value of public sector information.
If public sector information does not have a BIL assigned, the business owner should be consulted to determine its security value including the potential impact of a compromise to the confidentiality, integrity and/or availability of the information.
When should I notify OVIC?
Organisations should notify OVIC of an incident as soon as practical and no later than 30 days once an incident has been identified. If a response capability is required, organisations are encouraged to seek support from:
- their own internal security resources;
- their parent entity (if one exists); and
- the Victorian Government’s Cyber Incident Response Service (CIRS) in the event of a cyber incident.
How do I notify OVIC of an information security incident?
There are several methods to notify OVIC of an incident including:
Online web form
Access via https://incident-notifications.ovic.vic.gov.au/
Once completed, select ‘submit incident notification‘
Downloadable form
Access a word version of the incident notification form
Once completed, assess the content of the form and apply a corresponding protective marking. You can then submit your completed incident notification form to incidents@ovic.vic.gov.au
If your incident is marked as PROTECTED or above, please contact a member of the Information Security Unit for advice on submission options.
Phone
Call 1300 00 OVIC (1300 006 842) to discuss the incident.
What information should I provide?
OVIC, organisations and Victorian government will use the information provided in incident notifications to inform critical business decisions. To support these decisions, information must be timely, accurate and complete.
Where information about the incident is incomplete or not yet available, OVIC can receive updates from the notifying organisation as they become available.
OVIC has identified some key fields for organisations to consider when submitting their information security incident notification. The information security incident fields include:
| wdt_ID | Incident notification fields | Description |
|---|---|---|
| 1 | Name of organisation | |
| 2 | Contact details | Provide the primary point of contact details for OVIC to correspond with where further information is required including name, phone number, email address. |
| 3 | When did it happen? | DD/MM/YYYY |
| 4 | When did the organisation become aware of it? | DD/MM/YYYY |
| 5 | The date the incident is discovered and recorded may differ from the date when it occurred | |
| 43 | What happened? | Summary of what happened and what are you doing about it? |
| 44 | Free text field with a short description of the incident. | |
| 45 | How did it happen? | For example: |
| 46 | • Who / what caused it? | |
| 47 | • Was it malicious or accidental? | |
| 48 | • Who accessed information in unauthorised manner? | |
| 49 | Please be as specific as possible. E.g., if referring to third party, name party or describe nature of party. | |
| 50 | Steps taken or proposed to contain incident | |
| 51 | Steps taken or proposed to prevent future incidents | |
| 52 | PRIVACY (PERSONAL INFORMATION) INCIDENTS | |
| 53 | What personal information is involved? | Provide details e.g., name, contact details, Information Privacy Principle (IPP) 10 categories of sensitive information. |
| 54 | What is the risk of harm to the affected individuals? | • What type of harm? |
| 55 | • How serious is the risk of harm? | |
| 56 | • How likely is the risk of harm? | |
| 57 | Have affected individuals been notified about the incident? | If not, why? |
| 58 | If so, how? What were the reactions? | |
| 59 | INCIDENT NOTIFICATION SCHEME | |
| 60 | What type of information was affected? | For example, financial, personal, legal, health, policy, operational, critical infrastructure. |
| 61 | What is the assessed business impact level (BIL) of the affected information? | What is the highest business impact level of the affected information? Select the one that applies: |
| 62 | • BIL 1 – Minor; | |
| 63 | • BIL 2 – Limited; | |
| 64 | • BIL 3 – Major; or | |
| 65 | • BIL 4 – Serious. | |
| 66 | What security attributes were affected? | Select all that apply: |
| 67 | • Confidentiality (unauthorised disclosure); | |
| 68 | • Integrity (unauthorised modification); and/or | |
| 69 | • Availability (lost, stolen, unavailable). | |
| 70 | What was the format of the affected information? | Select one that applies: |
| 71 | • Hard copy; | |
| 72 | • Electronic; and/or | |
| 73 | • Verbal. | |
| 74 | Was the incident primarily caused by people, process and/or technology control(s)? | Select any that apply: |
| 75 | • People; | |
| 76 | • Process; | |
| 77 | • Technology; and/or | |
| 78 | • No control(s) in place. | |
| 79 | Who caused the incident? | Select the one that applies: |
| 80 | • Internal personnel; | |
| 81 | • Authorised third party; | |
| 82 | • Other external; or | |
| 83 | • Other/ unknown. | |
| 84 | What was the threat type? | Select one that applies: |
| 85 | • Accidental / Error; | |
| 86 | • Failure; | |
| 87 | • Malicious; or | |
| 88 | • Natural. | |
| 89 | For cyber incidents, is incident response assistance required by the Cyber Incident Response Service (CIRS)? | Y/N |
| 90 | If you require incident response assistance and would like OVIC to send these incident details to CIRS on your behalf, please select Y. | |
| 91 | Please note: OVIC do not provide a 24/7 service so if you require immediate assistance, please contact CIRS directly on 1300 278 842. | |
| 92 | For incidents relating to personal information, is privacy assistance required by OVIC? | Y/N |
| 93 | If you require privacy assistance, please select Y and someone from the OVIC privacy team will contact you. | |
| 94 | Has this incident been recorded in your organisation’s incident register? | Y/N |
| 95 | If Y please provide incident reference. | |
| 96 | Has the incident been closed? | Y/N |
Who do I turn to for assistance when an incident occurs?
Every incident has unique characteristics and may require different approaches for resolution. The table below provides guidance where agencies or bodies can seek assistance.
| wdt_ID | Information security incident as a result of …. | Responsible | Accountable | Consulted | Informed |
|---|---|---|---|---|---|
| 1 | A lost document | Organisation | Organisation | Organisation | OVIC |
| 2 | Corrupt conduct of an individual | Organisation | Organisation | IBAC | OVIC |
| 3 | Physical access intrusion | Organisation | Organisation | Organisation | OVIC |
| 4 | Cyber intrusion | Organisation | Organisation | Cyber Incident Response Service (CIRS) - if response assistance is required | OVIC |
| 5 | Breach of personal information | Organisation | Organisation | Organisation and OVIC - if privacy guidance is required | OVIC |
