Hopeless Vic agencies have two years to hit infosec best practice
Or something will happen, as bad as being hacked
Government agencies in the Australian state of Victoria will have two years to move from near ground zero to stand up fully-fledged and updated information security, risk, and governance policies.
The requirements are a big ask for agencies in the southern state, previously described as in information security turmoil after ignoring formal security policies for years.
It is, however, unknown if non-complying agencies will face fines or penalties. The commissioner has been contacted for comment.
The agencies will each year need to demonstrate compliance to the state commissioner against 18 areas within the just released Protective Data Security Framework [PDF] .
Audits in previous years have found agencies had lax or non-existent security policies and controls. The best guide for agencies was the Australian Signals Directorate's lauded but non-compulsory top four security controls and the Commonwealth Information Security Manual.
Agencies will also be required to submit to out-of-band audits.
The requirements cover data and information security along with governance, and physical and personnel security.
Much of the prescriptions fall in line with existing Federal information security recommendations, are proportionate to the size of the agency, and are non-prescriptive in terms of technology and implementation.
Various areas of governance consumes a dozen of the 18 requirements, each with four underlying protocols.
It demands formal security management frameworks; risks registers; policies and access regimes; regularly staff training; incidence response; business continuity;
Data security controls must be updated and maintained and applied to shared public data, while information security mechanisms must also be established and updated.
The protocols for each condensed down require evidence of executive buy-in, updating over time, and alignment with various standards including ISO 27001, 27002, 22301, and 31000.
Contractors must also need the new requirements. ®