1

A new data security framework for Victoria’s public sector

ICAANZ IT&T Forum

Paul O’Connor, Special Advisor to the CommissionerOffice of the Commissioner for Privacy and Data Protection16 July 2015

2

Background on the speaker

Work• 5 years as a journalist in Vietnam• 15 years as an officer in the Army Reserve• +15 years in the Federal, Northern Territory and Victorian public sectors• ~12 of these in the ANAO and VAGO

Author of most major ICT audits issued by VAGO over the last 5 years

Currently on secondment to Commissioner for Privacy and Data Protection

EducationBA Asian Studies (VUT)Post Grad Cert in PPPs (Melb.)Master of Public Infrastructure (Melb.)

3

New legislation and a new regulator

In December 2012, the (then) Attorney General announced that the Government would establish an office of the Privacy and Data Protection Commissioner.

The announcement highlighted the need for an integrated, whole of government approach to data security, including protective security, as an essential part of strengthening the privacy and protection of personal information handled by and on behalf of the Victorian public sector.

New legislation was given bi-partisan support.

4

Commissioner for Privacy and Data Security

Mr. David Watts is the inaugural Commissioner for Privacy and Data Protection.

The new Office was established by the Privacy and Data Protection Act 2014

This new legislation repealed two previous Acts and combined two former Offices:• Privacy Commissioner• Commissioner for Law Enforcement Data Security

In addition to inheriting the functions of these previous Offices, the new Act added responsibility for protective data security standard setting, assurance monitoring and oversight of Victorian public sector bodies and agencies.

5

Information Security Context in Victoria (1)

As we know, the threat environment is complex, dynamic and sophisticated:• traditional actors (e.g. bored teenagers, hacktivists, insiders)• are being overtaken by the new model of “e-crime-as-a service”• and the extreme technical threats posed by state-sponsored players.

Victoria is ill-prepared for these threats according to the Auditor-General: “The policy, standards and protection mechanisms for the security of the state’s ICT systems and data have not been effectively applied. Agencies undertake only limited monitoring of suspicious internal network activity, and they do not have a capability to detect an intrusion into sensitive public sector systems.”

- WoVG Information Security Management Framework, Nov. 2013

6

Information Security Context in Victoria (2)

The cyber threat for Victoria is real According to the Cyber Security Operations Centre’s Cyber Intrusion Activity Report dated August 2013: Australian State and Territory Governments: January–June 2013:

“Between January and June 2013, there were approximately 40 cyber security incidents affecting state and territory governments. Of these 40 incidents, approximately 35 were considered serious enough to require further action and a CSOC response. The networks of the Victorian and West Australian state governments accounted for the highest proportion of cyber security incidents responded to by the CSOC between January and June 2013.”

7

Key drivers for a new data protection approach

Recent VAGO audits identified data protection/information security problems:- Maintaining the Integrity and Confidentiality of Personal Information (Nov. 2009)- WoVG Information Security Management Framework (Nov. 2013)

Main issues identified as needing urgent rectification were: • unenforceable information security policies• fragmented approaches across agencies• lack of effective regulation or oversight by central agencies• contestable standards (ISO vs. COBIT vs. PSM vs. home grown)• limited practical testing of security (i.e. penetration tests)• ‘dark terrain’ where there is no policy coverage (i.e. ‘unknown unknowns’)

8

'Best of breed' approach used to develop the new Victorian Protective Data Security Framework

The new VPDSF will apply to some 2000+ agencies and will require agencies to take a holistic approach to data security. • Local governments, hospitals, ambulance, and universities are exempt

We have attempted to take on board recent lessons and focus the work around observed weaknesses and likely threat vectors such as:• lack of senior executive oversight/buy-in for information security• flimsy and/or outdated risk and threat analysis by agencies• too much focus on technical rather than personnel controls• sparse checking and assurance that controls in place actually work• heavy reliance on outsourcers/shared services but limited visibility of risks

9

SpeakerDate

11

12

Confidentiality, Integrity, Availability

Protective data security helps to give the right information to the right person at the right time…

CONFIDENTIALITY ensures that information is only accessed by those who need it to perform their duties, that is, by the right person.

INTEGRITY relates to ensuring that information provided is correct and not later corrupted, either intentionally or inadvertently – that it is the right information.

AVAILABILITY relates to access to information for authorised purposes at the time it is needed, that is, access to information at the right time.

13

Work underway and next steps…

The draft standards are open for comment until 30 September 2015, which will be collated into a version for formal release by the Minister by the start of 2016.

Complementary activities underway in the Office include:- roll-out of stakeholder engagement plans- development of standardized documentation and other guidance products- development and piloting of educational packages- definition and scoping of an ongoing monitoring and assurance system- development of an incident, referral and intelligence database

14

Discussion/questions?

E: Paul.O’Connor@cpdp.vic.gov.auT: 03 8684 1657Speaker

Date