Audit report published on the identification and security value assessment of public sector information
The Victorian Protective Data Security Standards (Standards) provide a risk-based approach to information security designed to protect public sector information. Organisations subject to Part 4 of the Privacy and Data Protection Act 2014 (Vic) (PDP Act) must adhere to the Standards.
OVIC has completed an audit that assessed four Victorian public sector (VPS) organisations’ adherence to Standard 2. Standard 2 requires VPS organisations to identify and assess the security value of public sector information.
OVIC audited the Department of Treasury and Finance, Barwon Region Water Corporation, the Victorian Institute of Forensic Medicine and CenITex.
OVIC assessed each organisation against the elements under Standard 2 and examined whether the organisations had accurately reported in their 2020 Protective Data Security Plans to OVIC.
OVIC assessed documentation provided by each agency including Information Asset Registers, and policy and procedure documents. OVIC staff also conducted interviews with key personnel at each agency.
All audited agencies had practices, procedures, and systems in place to assess the security value of information they hold. OVIC observed that each organisation used security value assessment outcomes to inform appropriate security measures needed to protect public sector information.
In some cases, the audit found some differences between how organisations assessed themselves against some elements of the Standards and OVIC’s assessment of their information.
The audit report outlines a range of recommendations for each agency to strengthen the identification and security value assessment of public sector information.
For guidance on identifying and assessing public sector information refer to:
- Standard 2 of the Victorian Protective Data Security Standards
Audit under section 8D(2)(b) of the Privacy and Data Protection Act 2014 (Vic)
- Practitioner Guide: Identifying and Managing Information Assets
This Practitioner Guide provides guidance on conducting an information review, defining information assets and establishing an Information Asset Register.
- Template: Sample Information Asset Register
This template is designed to help organisations develop an Information Asset Register or enhance their existing one.
- Practitioner Guide: Assessing the Security Value of Public Sector Information
This Practitioner Guide provides guidance on conducting an information security value assessment and determining the overall security value of public sector information using Business Impact Levels.
For media enquiries contact:
For enquiries about information security in Victoria contact:
Office of the Victorian Information Commissioner (OVIC)
t: 1300 006 842