OVIC Information Security Incident Notification Scheme
What is the scheme?
The information security incident notification scheme benefits all who participate and provides tangible resources, trends analysis and risk reporting. Notification about information security incidents (incidents) affecting public sector information should not add unnecessarily to the incident management and response process for organisations.
Element E9.010 within the Victorian Protective Data Security Standards (VPDSS) states:
The organisation notifies OVIC of incidents that have an adverse impact on the confidentiality, integrity, or availability of public sector information with a business impact level (BIL) of 2 (limited) or higher.
The information security incident notification scheme has been developed to centrally coordinate notification of information security incidents (incidents) within Victorian government. It requires Victorian public sector (VPS) agencies or bodies to notify OVIC of incidents that compromise the confidentiality, integrity or availability of public sector information that have been security assessed as having a ‘limited’ business impact or higher 1 on government operations, organisations, or individuals.
Who can notify OVIC when an incident occurs?
OVIC will accept notifications from anyone. For representatives submitting a notification on behalf of their organisation, please follow your incident management authorisation process to avoid duplicate submissions for the same incident. The representative maybe an information security lead, privacy officer, Chief Information or Security Officers (CIO, CISO), legal officer or public sector body Head.
Who do I turn to for assistance when an incident occurs?
Every incident has unique characteristics and may require different approaches for resolution. The table below provides guidance where agencies or bodies can seek assistance.
| wdt_ID | Information security incident as a result of …. | Responsible | Accountable | Consulted | Informed |
|---|---|---|---|---|---|
| 1 | A lost document | Organisation | Organisation | Organisation | OVIC |
| 2 | Corrupt conduct of an individual | Organisation | Organisation | IBAC | OVIC |
| 3 | Physical access intrusion | Organisation | Organisation | Organisation | OVIC |
| 4 | Cyber intrusion | Organisation | Organisation | Cyber Incident Response Service (CIRS) - if response assistance is required | OVIC |
| 5 | Breach of personal information | Organisation | Organisation | Organisation and OVIC - if privacy guidance is required | OVIC |
What sort of incidents should I notify OVIC of?
Under element E9.010, VPS organisations are required to notify OVIC of any compromise of public sector information that may cause ‘limited’ (BIL 2) or higher harm/damage to government operations, organisations, or individuals. This includes information with a protective marking of OFFICIAL: Sensitive, PROTECTED, Cabinet-In-Confidence or SECRET.
Incidents may take many forms. They are not just limited to compromises of electronic information held on government systems and services, but also include compromises of information held in physical formats (e.g., printed, photographs, recorded information either audio or video) or unauthorised verbal discussions. For example, the following scenarios would qualify as an incident:
- leaving a sensitive hard copy document on public transport;
- someone tailgating personnel into a secure area where sensitive documentation is kept; and/or
- a sensitive conversation being overheard in a public cafe by a member of the public.
If the incident is of a criminal nature, please follow your organisation’s policy on reporting these types of incidents to law enforcement authorities.
The table below provides further examples of the types of incidents that OVIC should be notified about.
| wdt_ID | Examples of incidents affecting public sector information | Control area | Security attribute |
|---|---|---|---|
| 21 | Sending an email to incorrect email recipient | People/process | Confidentiality |
| 23 | Hard copy document/file left on public transport | People/ process | Confidentiality/ Availability |
| 24 | Tailgating into a secure area and accessing documents left on someone’s desk | Process | Confidentiality |
| 25 | Ransomware installed on a desktop restricting access to information | Technology | Availability |
| 26 | Incorrect protective marking placed on a document leading to mishandling of information | People | Confidentiality |
| 27 | A break-in to a facility and stealing information | Process | Confidentiality/ Availability |
| 28 | A conversation being held in a public area that can be easily overheard | People | Confidentiality |
| 29 | Viewing information on an unlocked screen by someone who does not have a ‘need-to-know’ | Process | Confidentiality |
| 30 | Looking at documents left on a printer | People | Confidentiality |
| 31 | Incorrectly disposing of hard copy documents in recycling bin | People/ process | Confidentiality |
Remember, your organisation’s Business Impact Level (BIL) table should be used as a guide to inform your notification obligations in relation to an incident. If the information affected by the incident has a security value of 2 (e.g., OFFICIAL: Sensitive) or higher assigned to it (regardless of the severity of the actual incident), notification is required.
For more information on how to conduct a security value assessment and determine the BIL value of the information affected in an incident please refer to Practitioner Guide: Assessing the security value of public sector information.
If public sector information does not have a BIL assigned, the business owner should be consulted to determine its security value including the potential impact of a compromise to the confidentiality, integrity and/or availability of the information.
When should I notify OVIC?
Organisations should notify OVIC of an incident as soon as practical and no later than 30 days once an incident has been identified. If a response capability is required, organisations are encouraged to seek support from:
- their own internal security resources;
- their parent entity (if one exists); and
- the Victorian Government’s Cyber Incident Response Service (CIRS) in the event of a cyber incident.
Privacy breach considerations
If an incident relates to a breach of personal information, consider the impact on individuals and the need to notify them in a timely manner. Although some impacts may not appear high to the business, they may be for individual(s).
OVIC can assist with responding to incidents related to personal information. Where assistance is required, contact OVIC’s privacy team and refer to Managing the Privacy Impacts of a Data Breach on OVIC’s website.
How do I notify OVIC of an information security incident?
OVIC has published an incident notification form on its website for organisations to complete and submit. There are several methods to notify OVIC of an incident including:
- emailing your completed incident notification form to incidents@ovic.vic.gov.au; or
- phoning 1300 00 OVIC (1300 006 842).
Emailing your completed incident notification form is the preferred approach as it is the easiest method to ensure all submission details are accurately completed, recorded and, if requested, passed onto the relevant area e.g., OVIC’s Privacy team or CIRS.
What information should I provide?
OVIC, organisations and Victorian government will use the information provided in incident notifications to inform critical business decisions. To support these decisions, information must be timely, accurate and complete.
Where information about the incident is incomplete or not yet available, OVIC can receive updates from the notifying organisation as they become available.
OVIC has identified some key fields for organisations to consider when submitting their information security incident notification. The information security incident fields include:
| wdt_ID | Incident notification fields | Description |
|---|---|---|
| 1 | Name of organisation | |
| 2 | Contact details | Provide the primary point of contact details for OVIC to correspond with where further information is required including name, phone number, email address. |
| 3 | When did it happen? | DD/MM/YYYY |
| 4 | When did the organisation become aware of it? | DD/MM/YYYY |
| 5 | The date the incident is discovered and recorded may differ from the date when it occurred | |
| 43 | What happened? | Summary of what happened and what are you doing about it? |
| 44 | Free text field with a short description of the incident. | |
| 45 | How did it happen? | For example: |
| 46 | • Who / what caused it? | |
| 47 | • Was it malicious or accidental? | |
| Incident notification fields | Description |
What happens after OVIC is notified of an incident?
OVIC will acknowledge receipt of the notification and provide a reference number in case of any follow up communication regarding the notification.
In most cases, there will be nothing further required.
However, OVIC may contact you in the following circumstances:
- if your notification did not provide enough detail about the incident, we may request more information from you;
- if your notification points to a potentially serious or systemic breach of the Privacy and Data Protection Act 2014 (Vic) (PDP Act), we may contact you to make enquiries in accordance with OVIC’s Regulatory Action Policy; or
- if your notification indicates a risk of harm to the people whose personal information was involved, we may contact you to provide guidance about managing the privacy impacts of the data breach.
How does OVIC use incident notifications?
Incident notifications assist OVIC to develop a comprehensive security risk profile of the Victorian government. This can be used for trend analysis and understanding of the threat environment as it relates to the protection of public sector information. OVIC may share de-identified data with partnering organisations and may also share outcomes of its incident analysis with the CIRS.
OVIC publishes regular incident insights reports about trends and themes observed through the notifications. These reports are designed to assist organisations own risk reporting forums, and preparation of business cases for strategic security initiatives.
- Refer to the current VPDSF BIL table on the OVIC website https://ovic.vic.gov.au/data-protection/information-security-resources/ for further information.
