OFFICIAL

Victorian Protective Data Security

Standards
Version 2.0

Implementation Guidance Version 2.3

Victorian Protective Data Security Standards

OFFICIAL
 OFFICIAL

Document details
Document details Victorian Protective Data Security Standards

Publication date February 2024

Review date February 2025

Protective Marking OFFICIAL

CM ref / location D24/758

Document status Published

Authority Office of the Victorian Information Commissioner (OVIC)

Author Information Security

Version Control
Version Date Additions/changes

1.0 June 2016 N/A

1.1 March 2018 Updated some control references

2.0 October 2019 • Removed protocols.

• Integrated elements including:
o a mapping to their primary control source.
o providing old and new numbering.
• Updated primary sources where the elements have been
derived from.
• Globally replace ‘protective data security’ with
‘information security’.
• Globally replace ‘public sector data’ with ‘public sector
information’.
• Merged the following standards:
1, 3
2, 11
5, 6
9, 10, 15
13, 14
• Changed ordering of standards by moving ‘Information
Security Value’ standard to be Standard 2.

Victorian Protective Data Security Standards 2

OFFICIAL
 OFFICIAL

Version Date Additions/changes

• Replace Standard 12 – Compliance with new standard on

reporting.
• Globally change language to active voice.
• Remove ‘must’ statements.

2.1 January 2021 • Add new sentence to Primary Sources description

regarding use of dated vs. undated versions of
references.
• Remove VPDSS Element V1.1 reference column.
• Update examples in the following elements:
E6.060
E7.030
E8.080
E11.090
• Update Primary Sources for the following elements:
E1.050
E2.020, E2.030, E2.050, E2.060, E2.070, E2.080, E2.090
E3.010, E3.020, E3.030, E3.040, E3.050
E4.040
E6.010, E6.020, E6.030, E6.040, E6.050
E8.020, E8.030, E8.080
E9.010, E9.040
E10.010, E10.020, E10.050, E10.070
E11.030, E11.040, E11.090, E11.110, E11.120, E11.180
E12.010, E12.030, E12.040
• Update outdated Appendix A links.

2.2 September 2023 • New OVIC branded template

• Update out of date Primary Sources
• Add Primary Sources to the following elements:
E4.060
E5.050, E5.070
E10.010, E10.020, E10.060
E11.050, E11.140, E11.160
• Remove Primary Sources from the following elements:
E2.050
E3.050
E5.050, E5.070
E6.030, E6.060
E8.020
E10.010
E11.050, E11.200

Victorian Protective Data Security Standards 3

OFFICIAL
 OFFICIAL

Version Date Additions/changes

E12.020, E12.030
• Adjust E9.020 and E9.030 to align wording with legislation.
• Update outdated Appendix A links.

2.3 February 2024 • Update Primary Sources for E9.020 and E9.030

Note. The issue of version 2.2 of this document does not represent a change to the Victorian
Protective Data Security Standards V2.0. This document has been reviewed for currency and updated
accordingly under the VPDSS product development cycle.

Disclaimer

The information in this document is general in nature and does not constitute legal advice.

Copyright

You are free to re-use this work under a Creative Commons Attribution 4.0 licence, provided you
credit the State of Victoria (Office of the Victorian Information Commissioner) as author, indicate if
changes were made and comply with the other licence terms. The licence does not apply to any
branding, including Government logos. Copyright queries may be directed to
communications@ovic.vic.gov.au

Victorian Protective Data Security Standards 4

OFFICIAL
 OFFICIAL

Table of Contents
Objectives ...................................................................................................................................... 7

Structure of the VPDSS .................................................................................................................. 7

A Word on Elements...................................................................................................................... 8

Standard 1 – Information Security Management Framework.................................................... 10

Standard ...............................................................................................................................................10

Statement of Objective ........................................................................................................................10

Elements ...............................................................................................................................................10

Standard 2 – Information Security Value .................................................................................... 12

Standard ...............................................................................................................................................12

Statement of Objective ........................................................................................................................12

Elements ...............................................................................................................................................12

Standard 3 – Information Security Risk Management ................................................................ 14

Standard ...............................................................................................................................................14

Statement of Objective ........................................................................................................................14

Elements ...............................................................................................................................................14

Standard 4 – Information Access ................................................................................................ 16

Standard ...............................................................................................................................................16

Statement of Objective ........................................................................................................................16

Elements ...............................................................................................................................................16

Standard 5 – Information Security Obligations ........................................................................... 18

Standard ...............................................................................................................................................18

Statement of Objective ........................................................................................................................18

Elements ...............................................................................................................................................18

Standard 6 – Information Security Incident Management ......................................................... 20

Standard ...............................................................................................................................................20

Statement of Objective ........................................................................................................................20

Elements ...............................................................................................................................................20

Standard 7 – Information Security Aspects of Business Continuity and Disaster Recovery ...... 22

Victorian Protective Data Security Standards 5

OFFICIAL
 OFFICIAL

Standard ...............................................................................................................................................22

Statement of Objective ........................................................................................................................22

Elements ...............................................................................................................................................22

Standard 8 – Third Party Arrangements ..................................................................................... 23

Standard ...............................................................................................................................................23

Statement of Objective ........................................................................................................................23

Elements ...............................................................................................................................................23

Standard 9 – Information Security Reporting to OVIC ................................................................ 25

Standard ...............................................................................................................................................25

Statement of Objective ........................................................................................................................25

Elements ...............................................................................................................................................25

Standard 10 – Personnel Security ............................................................................................... 26

Standard ...............................................................................................................................................26

Statement of Objective ........................................................................................................................26

Elements ...............................................................................................................................................26

Standard 11 – Information Communications Technology (ICT) Security ................................... 28

Standard ...............................................................................................................................................28

Statement of Objective ........................................................................................................................28

Elements ...............................................................................................................................................28

Standard 12 – Physical Security................................................................................................... 33

Standard ...............................................................................................................................................33

Statement of Objective ........................................................................................................................33

Elements ...............................................................................................................................................33

Appendix A - VPDSS Primary Sources .......................................................................................... 35

Victorian Protective Data Security Standards 6

OFFICIAL
 OFFICIAL

The purpose of the Victorian Protective Data Security Standards (VPDSS) is to provide a set of criteria
for the consistent application of risk-based practices to manage the security of Victorian government
information. The Standards are issued under Parts 4 and 5 of the Privacy and Data Protection Act
2014.

Objectives

The VPDSS is developed to help Victorian public sector organisations:

• manage public sector information throughout its lifecycle (creation to disposal);

• manage public sector information across all the security areas (governance, information,
personnel, Information Communications Technology (ICT), physical);

• manage security risks to the confidentiality, integrity, and availability (often referred to as
CIA) of public sector information;

• manage external parties with access to public sector information;

• share public sector information with other organisations with confidence; and

• minimise security incidents.

Structure of the VPDSS

VPDSS Structure Description Outcome

Title Heading/name of the standard Key topic area

(informational)

Standard High-level statement describing what needs to be achieved by What is required

the organisation. There are 12 Victorian Protective Data
(mandatory)
Standards (VPDSS).

Statement of Objective A statement of the intent of the standard identifying the desired Why it is required
outcome when the standard has been achieved.
(informational)

Victorian Protective Data Security Standards 7

OFFICIAL
 OFFICIAL

VPDSS Structure Description Outcome

Element A security measure(s) extracted from the source reference point How to?
that provides high level guidance.
(risk-based action)

Primary Source Reference point where the element has been primarily derived Need more
from for further implementation advice. For references that: information?

• have a date, only the version cited applies, and (informational)

• do not have a date, the latest version of the

referenced document applies.

References include Australian and International Standards,

Federal and State government guidance and tailored guides
developed by OVIC.

Australian Standards can be accessed through the Victorian

Government Library Service (VGLS) for eligible Victorian public
sector organisations.

A Word on Elements

Elements are security measures that modify risk. Elements often depend on a supportive control
environment to be effective. A control environment can be a set of standards, processes and
structures, authorities, funds, and resources that provide the basis for applying controls across the
organisation. The control environment therefore contributes to modifying risk indirectly.

The elements described in the VPDSS include both controls that directly modify risk and supportive
controls that are essential to the control environment. Deciding which elements apply (statement of
applicability), depends upon the organisation’s criteria for risk acceptance and risk treatment options.
Determining applicable elements also depends on the way in which elements interact with one
another to provide ‘defence in depth’ 1. Where an organisation believes elements do not apply to
them, supporting justification should accompany such decisions.

1
Defence in depth is a multi-layered system in which security measures combine to make it difficult for an intruder or authorised personnel
to gain unauthorised access. This approach works on the premise that where one measure fails, there is another independent method in
place to continue to defend. For further information refer to the NIST glossary https://csrc.nist.gov/glossary/term/defense_in_depth

Victorian Protective Data Security Standards 8

OFFICIAL
 OFFICIAL

Organisations should implement specific controls (which may be the element itself or multiple
controls that fall under the element) appropriate to their organisation considering:

• their internal and external context;

• the security value of the information; and

• associated risks.

Whilst the elements have been logically grouped under their related topic area, i.e., elements related
to physical security are listed under the physical security standard, selection of elements to mitigate
risks may not be isolated to the specific topic area.

OVIC has referenced the primary source documents used for each element to give further information
regarding implementation.

Organisations can design their own controls as required or identify them from any source that has at
least functional equiveillance to, or is better than, the element identified by OVIC. These are recorded
in an internal control library.

Victorian Protective Data Security Standards 9

OFFICIAL
 OFFICIAL

Standard 1 – Information Security Management

Framework

Standard

An organisation establishes, implements and maintains an information security management

framework relevant to its size, resources and risk posture.

Statement of Objective

To clearly establish, articulate, support, and promote the security governance arrangements across
the organisation and manage security risks to public sector information.

Elements

V2.0 # Element Primary Source

E1.010 The organisation documents a contextualised information security AS/NZS ISO/IEC 27001:2023
management framework (e.g., strategy, policies, procedures) Information security management
covering all security areas. systems – Requirements

§4

§ 5.2

§ 6.2

E1.020 The organisation’s information security management framework AS/NZS ISO/IEC 27001:2023
contains and references all legislative and regulatory drivers.
§ 4.2

E1.030 The organisation’s information security management framework AS/NZS ISO/IEC 27001:2023
aligns with its risk management framework.
§ 6.1

AS ISO/IEC 27005:2012
Information security risk
management

§5

E1.040 Executive management defines information security functions, roles, AS/NZS ISO/IEC 27001:2023
responsibilities, competencies, and authorities.
§ 5.3

Victorian Protective Data Security Standards 10

OFFICIAL
 OFFICIAL

V2.0 # Element Primary Source

E1.050 Executive management nominates an information security lead and OVIC Information security leads
notifies OVIC of any changes to this point of contact. information sheet

E1.060 Executive management owns, endorses, and sponsors the AS/NZS ISO/IEC 27001:2023
organisation’s ongoing information security program(s) including the
§ 5.1
implementation plan.

E1.070 The organisation identifies information security performance AS/NZS ISO/IEC 27001:2023
indicators and monitors information security obligations against
§ 9.1
these.
§ 9.2

E1.080 Executive management commits to providing sufficient resources to AS/NZS ISO/IEC 27001:2023
support the organisation’s ongoing information security program(s).
§ 7.1

§ 7.2

E1.090 The organisation sufficiently communicates its information security AS/NZS ISO/IEC 27001:2023
management framework and ensures it is accessible.
§ 7.3

§ 7.4

E1.100 The organisation documents its internal control library that AS/NZS ISO/IEC 27001:2023
addresses its information security risks.
§ 6.1

E1.110 The organisation monitors, reviews, validates, and updates the AS/NZS ISO/IEC 27001:2023
information security management framework.
§ 9.3

§ 10.1

Victorian Protective Data Security Standards 11

OFFICIAL
 OFFICIAL

Standard 2 – Information Security Value

Standard

An organisation identifies and assesses the security value of public sector information.

Statement of Objective

To ensure an organisation uses consistent identification and assessment criteria for public sector
information across its lifecycle to maintain its confidentiality, integrity and availability.

Elements

V2.0 # Element Primary Source

E2.010 The organisation's Information Management Framework WoVG Information Management

incorporates all security areas. Framework

§ Enabler: Security and Privacy

§ Enabler: Lifecycle Management

E2.020 The organisation identifies, documents, and maintains its OVIC Practitioner Guide:
information assets in an information asset register (IAR) in Identifying and Managing
consultation with its stakeholders. Information Assets

§9

§ 10

§ 11

§ 12

E2.030 The organisation uses a contextualised VPDSF business impact level OVIC Practitioner Guide:
(BIL) table to assess the security value of public sector information. Assessing the security value of
public sector information

§ 12

Victorian Protective Data Security Standards 12

OFFICIAL
 OFFICIAL

V2.0 # Element Primary Source

E2.040 The organisation identifies and documents the security attributes OVIC Practitioner Guide:
(confidentiality, integrity, and availability business impact levels) of Assessing the security value of
its information assets in its information asset register. public sector information

§6

§7

E2.050 The organisation applies appropriate protective markings to OVIC Practitioner Guide:
information throughout its lifecycle. Protective markings

§7

§9

E2.060 The organisation manages the aggregated (combined) security value OVIC Practitioner Guide:
of public sector information. Assessing the security value of
public sector information

§ 8.4

E2.070 The organisation continually reviews the security value of public OVIC Practitioner Guide:
sector information across the information lifecycle. Assessing the security value of
public sector information

§ 14

E2.080 The organisation manages externally generated information in OVIC Practitioner Guide:
accordance with the originator’s instructions. Protective markings

§ 19 - § 25

E2.090 The organisation manages the secure disposal (archiving/ Protective Security Policy
destruction) of public sector information in accordance with its Framework (PSPF) Policy 8:
security value. Classification system

§ C.5.7

Victorian Protective Data Security Standards 13

OFFICIAL
 OFFICIAL

Standard 3 – Information Security Risk Management

Standard

An organisation utilises its risk management framework to undertake a Security Risk Profile
Assessment to manage information security risks.

Statement of Objective

To ensure an organisation manages information security risks through informed business decisions
while applying controls to protect public sector information.

Elements

V2.0 # Element Primary Source

E3.010 The organisation conducts security risk assessments and determines OVIC Practitioner Guide:
treatment plans in accordance with its risk management framework Information Security Risk
covering all the processes to manage information security risks Management V2.0
including:
§ 10
Risk identification;
AS ISO/IEC 27005:2012
Risk analysis; Information security risk
management
Risk evaluation; and,
§8
Risk treatment.
§9

E3.020 The organisation records the results of information security risk OVIC Practitioner Guide:
assessments and treatment plans in its risk register. Information Security Risk
Management V2.0

§ 10.1

VMIA Developing a foundation-

level framework for your
organisation

§ A Risk Register

Victorian Protective Data Security Standards 14

OFFICIAL
 OFFICIAL

V2.0 # Element Primary Source

E3.030 The organisation considers information security risks in VMIA Embedding risk thinking
organisational planning. and techniques

§ Show that you’ve considered

risk in your strategies and plans

E3.040 The organisation communicates and consults with internal and OVIC Practitioner Guide:
external stakeholders during the information security risk Information Security Risk
management process. Management V2.0

§8

AS ISO/IEC 27005:2012

§ 11

E3.050 The organisation governs, monitors, reviews, and reports on OVIC Practitioner Guide:
information security risk (e.g., operational, tactical and strategic Information Security Risk
through a risk committee (or equivalent, e.g., audit, finance, board, Management V2.0
corporate governance)).
§ 11

VGRMF

§ 2.2.2

AS ISO/IEC 27005:2012

§ 12.1

AS ISO 31000:2018

§ 6.7

Victorian Protective Data Security Standards 15

OFFICIAL
 OFFICIAL

Standard 4 – Information Access

Standard

An organisation establishes, implements and maintains an access management process for controlling
access to public sector information.

Statement of Objective

To formally authorise and manage the physical and logical access to public sector information.

Elements

V2.0 # Element Primary Source

E4.010 The organisation documents an identity and access management AS/NZS ISO/IEC 27002:2022
policy covering physical and logical access to public sector Information security controls
information based on the principles of least-privilege and need-to-
§ 5.15
know. 2.
SOD IDAM 01 – Workforce
Identity and Access
Management 3

§ IdAM Governance

E4.020 The organisation documents a process for managing identities and AS/NZS ISO/IEC 27002:2022
issuing secure credentials (registration and de-registration) for
§ 5.16
physical and logical access to public sector information.
SOD IDAM 01 – Workforce
Identity and Access Management

§ Enrolment

E4.030 The organisation implements physical access controls (e.g., key AS/NZS ISO/IEC 27002:2022
management, swipe card access, visitor passes) based on the
§ 7.1
principles of least-privilege and need-to-know.
§ 7.2

2
The principles of restricting an individual’s access to only the information they require to fulfil the duties of their role.
3
The Victorian Government Workforce IdAM Statement of Direction (SOD) defines the whole of government vision for identity and access
management. Whilst a government wide approach, the areas covered in this document can also be applied at a local organisation level.

Victorian Protective Data Security Standards 16

OFFICIAL
 OFFICIAL

V2.0 # Element Primary Source

E4.040 The organisation implements logical access controls (e.g., network AS/NZS ISO/IEC 27002:2022
account, password, two-factor authentication) based on the
§ 5.17
principles of least-privilege and need-to-know.
§ 8.5

Australian Government
Information Security Manual
(ISM) June 2023

§ Guidelines for Personnel

Security – Access to systems and
their resources

ACSC Essential Eight to ISM

Mapping

§ Restrict administrative
privileges

§ Multi-factor authentication

E4.050 The organisation manages the end-to-end lifecycle of access by AS/NZS ISO/IEC 27002:2022
following provisioning and de-provisioning processes.
§ 5.18

SOD IDAM 01 – Workforce

Identity and Access Management

§ Lifecycle Management

E4.060 The organisation limits the use of, and actively manages, privileged AS/NZS ISO/IEC 27002:2022
physical and logical access and separates these from normal access
§ 8.2
(e.g., executive office access, server room access, administrator
access). SOD IDAM 01 – Workforce
Identity and Access Management

§ Privileged Access

ACSC Essential Eight to ISM

Mapping

§ Restrict administrative
privileges

E4.070 The organisation regularly reviews and adjusts physical and logical AS/NZS ISO/IEC 27002:2022
access rights taking into account operational changes.
§ 5.18

Victorian Protective Data Security Standards 17

OFFICIAL
 OFFICIAL

Standard 5 – Information Security Obligations

Standard

An organisation ensures all persons understand their responsibilities to protect public sector
information.

Statement of Objective

To create and maintain a strong security culture by ensuring that all persons understand the
importance of information security across all the security areas and their obligations for protecting
public sector information.

Elements

V2.0 # Element Primary Source

E5.010 The organisation documents its information security obligations and PSPF Policy 2: Management
communicates these to all persons with access to public sector structures and responsibilities
information (e.g., policies, position descriptions).
§ C.9

AS/NZS ISO/IEC 27002:2022

Information security controls

§ 6.2

§ 5.2

§ 5.4

E5.020 The organisation’s information security training and awareness PSPF Policy 2
content covers all security areas.
§ C.10.2

E5.030 The organisation delivers information security training and PSPF Policy 2
awareness to all persons with access to public sector information,
§ C.10
upon engagement and at regular intervals thereafter in accordance
with its training and awareness program and schedule. § C.10.3

AS/NZS ISO/IEC 27002:2022

§ 6.3

Victorian Protective Data Security Standards 18

OFFICIAL
 OFFICIAL

E5.040 The organisation provides targeted information security training and PSPF Policy 2
awareness to persons in high-risk functions or who have specific
§ C.10
security obligations (e.g., executives, executive assistants,
procurement advisors, security practitioners, risk managers). § C.10.1

§ C.10.2

E5.050 The organisation reviews and updates the information security AS/NZS ISO/IEC 27002:2022
obligations of all persons with access to public sector information.
§ 6.2

E5.060 All persons with access to public sector information acknowledge PSPF Policy 2
their information security obligations at least annually (e.g., during
§ C.10
performance development discussions, attending security briefings,
completing security training). § C.10.1

E5.070 The organisation monitors, reviews, validates, and updates its PSPF Policy 2
information security training and awareness program and schedule.
§ 10.3

Victorian Protective Data Security Standards 19

OFFICIAL
 OFFICIAL

Standard 6 – Information Security Incident Management

Standard

An organisation establishes, implements and maintains an information security incident management

process and plan relevant to its size, resources and risk posture.

Statement of Objective

To ensure a consistent approach for managing information security incidents, in order to minimise
harm/damage to government operations, organisations or individuals.

Elements

V2.0 # Element Primary Source

E6.010 The organisation documents and communicates processes and OVIC Guide to developing an
plan(s) for information security incident management covering all Information Security Incident
security areas. Management Framework (ISIMF)
V2.0

§A

AS/NZS ISO/IEC 27002:2022

Information security controls

§ 5.24

PSPF Policy 2: Management

structures and responsibilities

§ C.8.1

Victorian Government cyber

incident response plan template

E6.020 The organisation articulates roles and responsibilities for information ISIMF
security incident management.
§A

AS/NZS ISO/IEC 27002:2022

§ 5.24

Victorian Protective Data Security Standards 20

OFFICIAL
 OFFICIAL

V2.0 # Element Primary Source

E6.030 The organisation’s information security incident management AS ISO/IEC 27035.1:2017

processes and plan(s) contain the five phases of: Information security incident
management Part 1: Principles of
Plan and prepare;
incident management
Detect and report;
§5
Assess and decide;
ISIMF
Respond (contain, eradicate, recover, notify); and,
§A
Lessons learnt.
WoVG Cyber Incident
Management Plan

§ Managing Cyber Incidents

PSPF Policy 2

§ Annex A

E6.040 The organisation records information security incidents in a register. PSPF Policy 2

§ C.8.1.3

§ Annex A Step 1

AS ISO/IEC 27035.2:2017
Information security incident
management Part 2: Guidelines to
plan and prepare for incident
response

§ Annex B.2.2

E6.050 The organisation’s information security incident management PSPF Policy 2

procedures identify and categorise administrative (e.g., policy
§ C.8.2
violation) incidents in contrast to criminal incidents (e.g., exfiltrating
information to criminal associations) and investigative handover. § Annex B

E6.060 The organisation regularly tests (e.g., annually) its incident response AS ISO/IEC 27035.2:2017
plan(s).
§ 11

WoVG Cyber Exercise Guide

Victorian Protective Data Security Standards 21

OFFICIAL
 OFFICIAL

Standard 7 – Information Security Aspects of Business

Continuity and Disaster Recovery

Standard

An organisation embeds information security continuity in its business continuity and disaster
recovery processes and plans.

Statement of Objective

To enhance an organisation’s capability to prevent, prepare, respond, manage and recover from any
event that affects the confidentiality, integrity and availability of public sector information.

Elements

V2.0 # Element Primary Source

E7.010 The organisation documents and communicates business continuity AS/NZS ISO/IEC 27002:2022
and disaster recovery processes and plans covering all security areas. Information security controls

§ 5.29

E7.020 The organisation identifies and assigns roles and responsibilities for AS/NZS ISO/IEC 27002:2022
information security in business continuity and disaster recovery
§ 5.29
processes and plans.

E7.030 The organisation regularly tests (e.g., annually) its business continuity AS/NZS ISO/IEC 27002:2022
and disaster recovery plan(s).
§ 5.29

Victorian Protective Data Security Standards 22

OFFICIAL
 OFFICIAL

Standard 8 – Third Party Arrangements

Standard

An organisation ensures that third parties securely collect, hold, manage, use, disclose or transfer
public sector information.

Statement of Objective

To confirm that the organisation’s public sector information is protected when the organisation
interacts with a third party.

Elements

V2.0 # Element Primary Source

E8.010 The organisation’s information security policies, procedures and AS/NZS ISO/IEC 27002:2022
controls cover the entire lifecycle of third-party arrangements (e.g., Information security controls
contracts, MOUs and information sharing agreements).
§ 5.19

E8.020 The organisation includes requirements from all security areas in PSPF Policy 6: Security
third party arrangements (e.g., contracts, MOUs and information governance for contracted goods
sharing agreements) in accordance with the security value of the and service providers
public sector information.
§ C.2

Annex A

AS/NZS ISO/IEC 27002:2022

§ 5.20

§ 6.6

E8.030 The organisation undertakes an information security risk assessment PSPF Policy 6
of the third party's service offering and addresses any residual risks
§ C.1
prior to finalising the arrangement.

E8.040 The organisation identifies and assigns information security roles and AS/NZS ISO/IEC 27002:2022
responsibilities in third party arrangements (e.g., contracts, MOUs
§ 5.14
and information sharing agreements).

Victorian Protective Data Security Standards 23

OFFICIAL
 OFFICIAL

V2.0 # Element Primary Source

E8.050 The organisation establishes, maintains, and reviews a register of AS/NZS ISO/IEC 27002:2022
third-party arrangements (e.g., contracts, MOUs and information
§ 5.20
sharing agreements).

E8.060 The organisation monitors, reviews, validates, and updates the PSPF Policy 6
information security requirements of third-party arrangements and
§ C.3
activities.
AS/NZS ISO/IEC 27002:2022

§ 5.21

§ 5.22

PDP Act

§ 89 (3)

E8.070 The organisation documents its information release management IM-GUIDE-06 WoVG Information
requirements (e.g., social media, news, DataVic). Management Governance
Guidelines

§ Custodianship model

DataVic access policy guidelines

E8.080 The organisation manages the delivery of maintenance activities and AS/NZS ISO/IEC 27002:2022
repairs (e.g., on-site, and off-site).
§ 7.13

ISM June 2023

§ Guidelines for ICT equipment–

ICT equipment maintenance and
repairs

E8.090 The organisation applies appropriate security controls upon PSPF Policy 6
completion or termination of a third-party arrangement (e.g.,
§ C.4
contracts, MOUs and information sharing agreements).

Victorian Protective Data Security Standards 24

OFFICIAL
 OFFICIAL

Standard 9 – Information Security Reporting to OVIC

Standard

An organisation regularly assesses its implementation of the Victorian Protective Data Security
Standards (VPDSS) and reports to the Office of the Victorian Information Commissioner (OVIC).

Statement of Objective

To promote the organisation’s security capability and ensure adequate tracking of its exposure to
information security risks.

Elements

V2.0 # Element Primary Source

E9.010 The organisation notifies OVIC of incidents that have an adverse OVIC Information Security
impact on the confidentiality, integrity, or availability of public sector Incident Notification Scheme V1.0
information with a business impact level (BIL) of 2 (limited) or
higher. 4.

E9.020 The organisation submits a copy of its Protective Data Security Plan Privacy and Data Protection Act
(PDSP) to OVIC every two years. 2014 (PDP Act)

§ 89

E9.030 Upon significant change, the organisation submits a copy of its PDP Act
reviewed PDSP to OVIC.
§ 89

E9.040 The organisation annually attests to the progress of activities VPDSF V2.1
identified in its PDSP to OVIC.
§ 9.3

4
Refer to the current VPDSF BIL table on the OVIC website https://ovic.vic.gov.au/information-security/information-security-resources/ for
further information.

Victorian Protective Data Security Standards 25

OFFICIAL
 OFFICIAL

Standard 10 – Personnel Security

Standard

An organisation establishes, implements and maintains personnel security controls addressing all
persons continuing eligibility and suitability to access public sector information.

Statement of Objective

To mitigate an organisation’s personnel security risks and provide a consistent approach for managing
all persons with access to public sector information.

Elements

V2.0 # Element Primary Source

E10.010 The organisation's personnel security policies and procedures PSPF Policy 3: Security planning
address the personnel lifecycle phases of: and risk management

Pre-engagement (eligibility and suitability); § Table 2

Engagement (ongoing and re-engagement); and, PSPF Policy 12: Eligibility and
suitability of personnel
Separating (permanently or temporarily).
§ B.2

PSPF Policy 13: Ongoing

assessment of personnel

§ Table 1

PSPF Policy 14: Separating

personnel

§C

AS 4811:2022 Workforce
Screening

§ 2.8.2

Victorian Protective Data Security Standards 26

OFFICIAL
 OFFICIAL

V2.0 # Element Primary Source

E10.020 The organisation verifies the identity of personnel, re-validates, and PSPF Policy 12
manages any changes as required.
§ Table 1 Identity check

§ Table 4 Confirmation of identity

National Identity Proofing

Guidelines (NIPG)

§ 4.1

AS 4811:2022

§ 2.8.5.3

E10.030 The organisation undertakes pre-engagement screening PSPF Policy 12

commensurate with its security and probity obligations and risk
§ C.1
profile.

E10.040 The organisation manages ongoing personnel eligibility and PSPF Policy 13
suitability requirements commensurate with its security and probity
§ C.1
obligations and risk profile.

E10.050 The organisation manages personnel separating from the PSPF Policy 14
organisation commensurate with its security and probity obligations
§ C.1 - § C.6
and risk profile.

E10.060 The organisation develops security clearance policies and procedures PSPF Policy 12
to support roles requiring high assurance and/ or handling security
§ C.2.1
classified information.
PSPF Policy 13

§ Table 1

E10.070 The organisation undertakes additional personnel screening PSPF Policy 12

measures commensurate with the risk to support roles requiring high
§ C.2
assurance and/ or handling security classified information.

E10.080 The organisation actively monitors and manages security clearance PSPF Policy 13
holders.
§ C.2

Victorian Protective Data Security Standards 27

OFFICIAL
 OFFICIAL

Standard 11 – Information Communications Technology

(ICT) Security

Standard

An organisation establishes, implements and maintains Information Communications Technology

security controls.

Statement of Objective

To maintain a secure environment by protecting the organisation’s public sector information through
ICT security controls.

Elements

V2.0 # Element Primary Source

E11.010 The organisation manages security documentation for its ICT systems Australian Government
(e.g., system security plans). Information Security Manual
(ISM) June 2023

§ Guidelines for security

documentation

E11.020 The organisation manages all ICT assets (e.g., on-site, and off-site) ISM
throughout their lifecycle.
§ Guidelines for physical security

§ Guidelines for ICT equipment

E11.030 The organisation conducts a security assessment for authorising ISM

systems to operate prior to transmitting, processing, or storing public
§ Applying a risk-based approach
sector information.
to cyber security – Authorise the
system

Victorian Protective Data Security Standards 28

OFFICIAL
 OFFICIAL

V2.0 # Element Primary Source

E11.040 The organisation undertakes risk-prioritised vulnerability ISM

management activities (e.g., patch management, penetration testing,
§ Guidelines for system
continuous monitoring systems).
management – System patching

§ Guidelines for system

monitoring

ACSC Essential Eight to ISM

Mapping

§ Patch applications

§ Patch operating systems

E11.050 The organisation documents and manages changes to ICT systems. AS/NZS ISO/IEC 27002:2022
Information security controls

§ 8.32

E11.060 The organisation manages communications security controls (e.g., ISM

cabling, telephony, radio, wireless networks).
§ Guidelines for communications
infrastructure

§ Guidelines for communications

systems

§ Guidelines for networking –

wireless networks

§ Guidelines for physical security

– facilities and systems - Bringing
Radio Frequency and infrared
devices into facilities

E11.070 The organisation verifies the vendors security claims before ISM
implementing security technologies.
§ Guidelines for evaluated
products

E11.080 The organisation manages security measures (e.g., classification, ISM

labelling, usage, sanitisation, destruction, disposal) for media.
§ Guidelines for media

Victorian Protective Data Security Standards 29

OFFICIAL
 OFFICIAL

V2.0 # Element Primary Source

E11.090 The organisation manages standard operating environments (SOEs) ISM

for all ICT assets, including end user access devices (e.g.,
§ Guidelines for system hardening
workstations, mobile phones, laptops), network infrastructure,
servers, and Internet of Things (IoT) commensurate with security risk. ACSC Essential Eight to ISM
Mapping

§ Application control

§ Configure Microsoft Office

macro settings

§ User application hardening

E11.100 The organisation manages security measures for email systems. ISM

§ Guidelines for email

E11.110 The organisation logs system events and actively monitors these to ISM
detect potential security issues (e.g., intrusion detection/ prevention
§ Guidelines for system
systems (IDS/ IPS)).
monitoring

§ Guidelines for networking -

Network design and configuration
- Using Network-based Intrusion
Detection and Prevention
Systems

E11.120 The organisation uses secure system administration practices. ISM

§ Guidelines for system

management – System
administration

§ Guidelines for personnel

security - Access to systems and
their resources

ACSC Essential Eight to ISM

Mapping

§ Restrict administrative
privileges

E11.130 The organisation designs and configures the ICT network in a secure ISM
manner (e.g., segmentation, segregation, traffic management,
§ Guidelines for networking
default accounts).

Victorian Protective Data Security Standards 30

OFFICIAL
 OFFICIAL

V2.0 # Element Primary Source

E11.140 The organisation manages a process for cryptographic keys (e.g., disk ISM
encryption, certificates).
Guidelines for Cryptography -
Cryptographic fundamentals -
Cryptographic key management
processes and procedures

AS/NZS ISO/IEC 27002:2022

§ 8.24

E11.150 The organisation uses cryptographic controls for confidentiality, ISM

integrity, non-repudiation, and authentication commensurate with
§ Guidelines for cryptography
the risk to information.

E11.160 The organisation manages malware prevention and detection ISM

software for ICT systems.
§ Guidelines for gateways

§ Guidelines for data transfers

AS/NZS ISO/IEC 27002:2022

controls

§ 8.7

E11.170 The organisation segregates emerging systems from production ISM

systems (e.g., physical and/ or logical) until their security controls are
§ Guidelines for software
validated.
development

E11.180 The organisation manages backup processes and procedures (e.g., ISM
schedule, isolation, storage, testing, retention).
§ Guidelines for system
management – Data backup and
restoration

ACSC Essential Eight to ISM

Mapping

§ Regular backups

E11.190 The organisation manages a secure development lifecycle covering ISM

all development activities (e.g., software, web-based applications,
§ Guidelines for software
operational technology (Supervisory Control and Data Acquisition/
development
Industrial Control Systems (SCADA/ICS)).

Victorian Protective Data Security Standards 31

OFFICIAL
 OFFICIAL

V2.0 # Element Primary Source

E11.200 The organisation manages security measures for enterprise mobility ISM
(e.g., mobile device management, working from home).
§ Guidelines for enterprise
mobility

AS/NZS ISO/IEC 27002:2022

§ 6.7

Victorian Protective Data Security Standards 32

OFFICIAL
 OFFICIAL

Standard 12 – Physical Security

Standard

An organisation establishes, implements and maintains physical security controls addressing facilities,
equipment and services.

Statement of Objective

To maintain a secure environment by protecting the organisation’s public sector information through
physical security controls.

Elements

V2.0 # Element Primary Source

E12.010 The organisation plans and documents physical security measures. PSPF Policy 16 Entity facilities

§ C.1

E12.020 The organisation applies defence-in-depth physical security PSPF Policy 16

measures.
§ C.2

§ C.4

AS/NZS ISO/IEC 27002:2022

Information security controls

§ 7.1

Victorian Protective Data Security Standards 33

OFFICIAL
 OFFICIAL

V2.0 # Element Primary Source

E12.030 The organisation selects physical security measures commensurate PSPF Policy 15 Physical security
with the business impact level of the information. for entity resources

§ C.2

§ C.3

§ C.4

§ C.5

PSPF Policy 16

§ C.2

§ C.3

AS/NZS ISO/IEC 27002:2022

§ 7.6

E12.040 The organisation has scalable physical security measures ready for PSPF Policy 3 Security planning
activation during increased threat situations. and risk management

§ C.3

PSPF Policy 16

§ C.4

E12.050 The organisation implements physical security measures when PSPF Policy 15
handling information out of the office.
§ C.8

AS/NZS ISO/IEC 27002:2022

§ 7.9

E12.060 The organisation manages physical security measures throughout AS/NZS ISO/IEC 27002:2022
their lifecycle.
§ 7.13

§ 7.14

Victorian Protective Data Security Standards 34

OFFICIAL
 OFFICIAL

Appendix A - VPDSS Primary Sources

Victorian Government

Privacy and Data Protection Act 2014 (PDP Act)

http://www8.austlii.edu.au/cgi-bin/viewdb/au/legis/vic/consol_act/padpa2014271/

Office of the Victorian Information Commissioner:

Victorian Protective Data Security Framework (VPDSF) V2.1

Information Sheet: Information Security Leads

Practitioner Guide: Identifying and Managing Information Assets

Practitioner Guide: Assessing the security value of public sector information

Practitioner Guide: Protective Markings

Practitioner Guide: Information Security Risk Management

Guide to developing an Information Security Incident Management Framework V2.0

https://ovic.vic.gov.au/information-security/information-security-resources/

Information Security Incident Notification Scheme V1.0

https://ovic.vic.gov.au/data-protection/agency-reporting-obligations/incident-notification/

Department of Government Services (DGS):

IM-FW-01 Information Management Framework

IM-GUIDE-06 Information Management Governance Standards

https://www.vic.gov.au/information-management-policies-and-standards

Statement of Direction – Workforce Identity and Access Management

https://www.vic.gov.au/digital-strategy-transformation-statements-direction

Victorian Government Cyber Incident Management Plan

https://www.vic.gov.au/cyber-incident-management-plan

Victorian Protective Data Security Standards 35

OFFICIAL
 OFFICIAL

Victorian Government Cyber Incident Response Plan Template

https://www.vic.gov.au/prepare-cyber-incident

Cyber Exercise Guide

https://www.vic.gov.au/practice-your-cyber-incident-response

DataVic access policy guidelines

https://www.data.vic.gov.au/datavic-access-policy-guidelines

Department of Treasury and Finance:

Victorian Government Risk Management Framework (VGRMF)

https://www.dtf.vic.gov.au/planning-budgeting-and-financial-reporting-frameworks/victorian-risk-
management-framework-and-insurance-management-policy

Victorian Managed Insurance Authority (VMIA):

Developing a foundation-level framework for your organisation

Embedding risk thinking and techniques

https://www.vmia.vic.gov.au/tools-and-insights/practical-guidance-for-managing-risk

Federal Government

Department of Home Affairs:

Protective Security Policy Framework (PSPF) -

Policy 2: Management structures and responsibilities

https://www.protectivesecurity.gov.au/publications-library/policy-2-management-structures-and-
responsibilities

Policy 3: Security planning and risk management

https://www.protectivesecurity.gov.au/publications-library/policy-3-security-planning-and-risk-
management

Victorian Protective Data Security Standards 36

OFFICIAL
 OFFICIAL

Policy 6: Security governance for contracted goods and service providers

https://www.protectivesecurity.gov.au/publications-library/policy-6-security-governance-contracted-
goods-and-service-providers

Policy 8: Classification system

https://www.protectivesecurity.gov.au/publications-library/policy-8-classification-system

Policy 9: Access to information

https://www.protectivesecurity.gov.au/publications-library/policy-9-access-information

Policy 12: Eligibility and suitability of personnel

https://www.protectivesecurity.gov.au/publications-library/policy-12-eligibility-and-suitability-
personnel

Policy 13: Ongoing assessment of personnel

https://www.protectivesecurity.gov.au/publications-library/policy-13-ongoing-assessment-personnel

Policy 14: Separating personnel

https://www.protectivesecurity.gov.au/publications-library/policy-14-separating-personnel

Policy 15: Physical security for entity resources

https://www.protectivesecurity.gov.au/publications-library/policy-15-physical-security-entity-
resources

Policy 16: Entity facilities

https://www.protectivesecurity.gov.au/publications-library/policy-16-entity-facilities

National Identity Proofing Guidelines (NIPG)

https://www.homeaffairs.gov.au/criminal-justice/files/national-identity-proofing-guidelines.pdf

Australian Signals Directorate/ Australian Cyber Security Centre (ACSC):

Australian Government Information Security Manual (ISM)

https://www.cyber.gov.au/acsc/view-all-content/ism

ACSC Essential Eight

https://www.cyber.gov.au/acsc/view-all-content/essential-eight

Victorian Protective Data Security Standards 37

OFFICIAL
 OFFICIAL

Australian Standards

Please note. For eligible Victorian Public Sector organisations, access to Australian Standards is free
from the Victorian Government Library Service (VGLS).

AS/NZS ISO/IEC 27001: 2023 Information security, cybersecurity and privacy protection - Information
security management systems – Requirements

https://www.standards.org.au/standards-catalogue/standard-details?designation=as-nzs-iso-iec-
27001-2023

AS/NZS ISO/IEC 27002: 2022 Information security, cybersecurity and privacy protection - Information
security controls

https://www.standards.org.au/standards-catalogue/standard-details?designation=as-nzs-iso-iec-
27002-2022

AS ISO/IEC 27005: 2012 Information technology - Security techniques – Information security risk
management

https://www.standards.org.au/standards-catalogue/standard-details?designation=as-nzs-iso-iec-
27005-2012

AS ISO 31000: 2018 Risk Management - Guidelines

https://www.standards.org.au/standards-catalogue/standard-details?designation=as-iso-31000-2018

AS ISO/IEC 27035.1: 2017 Information technology - Security techniques – Information security incident
management, Part 1: Principles of incident management

https://www.standards.org.au/standards-catalogue/standard-details?designation=as-nzs-iso-iec-
27005-2012

AS ISO/IEC 27035.2:2017 Information technology - Security techniques – Information security incident

management, Part 2: Guidelines to plan and prepare for incident response

https://www.standards.org.au/standards-catalogue/standard-details?designation=as-iso-iec-27035-2-
2017

Victorian Protective Data Security Standards 38

OFFICIAL
OFFICIAL

www.ovic.vic.gov.au

Victorian Protective Data Security Standards 39

OFFICIAL