This website uses cookies. View our cookie policy
Close
Asia
Select regional store:

The VPDSF (Victorian Protective Data Security Framework)

The VPDSF (Victorian Protective Data Security Framework) is the scheme for managing data security risks in Victoria’s public sector.

The framework comprises:

It was established by OVIC (the Office of the Victorian Information Commissioner) in July 2016 under Part Four of the PDPA (Privacy and Data Protection Act) 2014, and updated in March 2018.


The VPDSS

The VPDSS are 18 high-level data security requirements for Victorian public-sector organisations.

They provide a set of criteria for consistently applying security practices across Victorian government information. These criteria cover governance, information security, personnel security, ICT (information communications technology) security and physical security.

Click here for more information about the VPDSS >>


Assurance model

The assurance model sets out a number of activities designed to ensure that Victorian public-sector organisations meet the following obligations under the PDPA and the VPDSS:

  • Undertake an SRPA (security risk profile assessment) to determine the current risks to their information assets.
  • Complete a VPDSS self-assessment.
  • Develop a PDSP (protective data security plan) to address data security risks and capability improvement.
  • Submit the PDSP to OVIC by 31 August 2018 and every two years thereafter.
  • Review the PDSP at least every two years.
  • Cooperate with OVIC’s monitoring and assurance activities, including audits.

The assurance model addresses the following areas:

  • Security planning – the activities to assess organisations’ risks and capability, and development of an action plan.
  • Organisational compliance – an approach based on a security capability model, which organisations can use to report their level of compliance with the VPDSS to OVIC.
  • Risk-based assurance – OVIC’s activities to assess the level, implementation and effectiveness of protective data security across the Victorian public sector.
  • Assurance reporting – the reporting obligations and requirements for OVIC.

Each area is supported by the following operational components:

#VPDSF principles
Assurance model
Security planning Organisational compliance Risk-based assurance Assurance reporting
Security risk profile assessment VPDSS self-assessment Assurance context OVIC reporting
Protective data security plan Maturity assessment Assessment criteria Ministerial reporting
  Maturity target assessment Organisation impact assessment  
  Organisational reporting Assurance activities  
Organisational activities OVIC activities

Supplementary security guides and supporting resources

OVIC has also made a number of resources available to public-sector organisations, including guides, fact sheets, action plans, visual aids and posters, and self-assessment and reporting templates.


Complying with the VPDSF

If your organisation needs help complying with the VPDSF and PDPA, we can help.

The VPDSS states that organisations should align their security management frameworks with standards such as ISO 27001, and their access management regimes and information sharing practices with ISO 27001’s code of practice, ISO 27002.

IT Governance has more than 15 years’ experience helping hundreds of organisations worldwide implement ISO 27001, having led ISMS (information security management system) implementation projects since the Standard’s inception.

If you need more guidance or advice on implementing ISO 27001, please contact us.


Speak to an expert

Please contact us for further information or to speak to an ISO 27001 expert.