OVIC Compliance
If you are a Victorian Public Sector Stakeholder accountable to a Victorian Department you need to develop a Protective Data Security
Plan (PDSP) that complies with the Victorian Protective Data Security Framework (VPDSF) and the Victorian Protective Data Security Standards (VPDSS).
This can be an overwhelming task as it requires detailed knowledge of information security risk management, cybersecurity business impact, the cybersecurity threat landscape, current cybersecurity posture, existing cybersecurity vulnerabilities, cybersecurity technical controls and their effectiveness before needing to develop a cybersecurity strategy that identifies the organisation’s critical information assets, information owners, current cybersecurity posture and desirable future state.
Many organisations are not sufficiently resourced to undertake such a task.
Sypha Security has worked with many organisations to assist them with developing and implementing their cybersecurity strategy, PDSP and submitting their annual attestations.
All our consultants come from an IT technical background, have other 20 years of experience in cybersecurity and have worked in many cybersecurity leadership positions across many public and private sectors.
We can even act as your SO, CSO or nominated Information Security Lead.
OVIC Information Security – 5 Step Action Plan
[1] Information Assets
An essential first step in establishing an information security program, is identifying the organisation’s information assets. Simply put: you cannot protect what you do not know.
During this phase, we conduct an information review to discover all information assets and develop an information asset register (IAR) where information assets are centrally recorded and managed.
[2] Business Impact
Many organisations may know they collect and store information but the value of this information remains unknown. The impact on the business, if this information becomes compromised, may be significantly greater than most organisations realise.
During this phase we conduct a thorough Business Impact Assessment, defining the business impact level and recording the outcomes in the IAR. We also establish the protective marking and labelling policy to be used by the organisation
[3] Risk Assessment
Organisations need to actively manage security risks to their information assets. Regular information security risk assessments need to be performed relating to information assets to assess:
• information security risk
• physical security risk
• personnel security risk
• information technology risk
During this phase, we perform a thorough Security Risk Profile Assessment (SRPA) and establish a formal risk register to centrally record and manage risk.
[4] Control Library
Once phases 1 – 3 have been completed we then assess the existing security controls that are in place, identify the gaps and develop a cybersecurity strategy and roadmap that formalises the improvements required to meet the control elements outlined in the VPDSS.
The cybersecurity strategy will include the development of the PDSP and will be included in the annual attestation report.
[5] Continuous Improvement
Cybersecurity maturity never ends, it is a continuous improvement journey that needs to pivot and adapt to the ever-changing cyber-threat and regulatory landscape.
Sypha Security will work with the organisation to develop regular review and assessment cycles to ensure compliance with the changing regulatory environment and cyber-threat landscape.
OVIC Resources
List of useful resources from OVIC: