eGovernment Resource Centre - Victoria, Australia

Victorian
Government
Contact Centre
1300 366 356

Main Menu

Categories, RSS and More

Main Categories

Shorten URL

Please enter the URL that you'd like to shorten or click here to shorten current:


What's this? loading...

Rate this Site

Thanks for visiting. To help us help you find what you need please take our 1 minute Visitor Survey.

Members Forum

The Forum is the place for members to post their opinions and exchange ideas.

Victorian Government Information Security Policy Standards and Guidelines

The Government Services Division (GSD), within the Department of Treasury and Finance of the Victorian Government have published a common policy, standards, guidelines and processes (templates) for information security; including data classification and management, penetration testing, portable storage devices such as USB sticks, and user awareness training.

Policy

Information Security Management Policy - in pdf format (184kb) - Version 1.2, 1 July 2005. (This document requires the use of Adobe Acrobat Reader). The Information Security Management Policy is also available in html format.

  • Victorian Government Departments and Agencies will use identified and approved Whole of Victorian Government (WoVG) standards and guidelines to manage ICT security appropriate to the sensitivity of information and assets to be protected.

Standards

Information Security Management Framework - in pdf format (185kb). Version 2.2, March 2011. (This document requires the use of Adobe Acrobat Reader). SEC/STD/01. The Information security management framework standard is also available in html format.

  • The standard requires all agencies and departments to develop a plan for compliance with these International and Australian standards within 6 months of this standard being approved. This compliance plan will be submitted to GSD for endorsement.

Information Security - Data Classification and Management - in pdf format (217kb). Version 1.2, March 2011. (This document requires the use of Adobe Acrobat Reader). SEC/STD/02. The Data classification and management standard is also available in html format.

  • This Standard describes the requirement for each department and agency to assess and manage the exposure risk of confidential information under its control1, via a three part process:
    1. initial formal business assessment of the information exposure risk and translation of this to a required information security classification;
    2. the Information Technology area’s (responsive) assessment of its proposed solutions for conformance to the level of protection required by the business; and
    3. on-going ‘maintenance’. That is, given that the business risk assessment (part 1); and the IT response (part 2), are ‘snapshots’ in time, there must be the capability for the business and the IT area to each reassess the exposure risks and the solution alignment.

Information security - penetration testing - in pdf format (209kb). Version 1.2, March 2011. (This document requires the use of Adobe Acrobat Reader). SEC/STD/03. The Penetration testing standard is also available in html format.

  • This standard describes the minimum requirement for Victorian Government departments and agencies to conduct independent penetration testing on their information systems and infrastructure to identify vulnerabilities and weaknesses in security controls.

Information security - use of portable storage devices - in pdf format (366kb). Version 1.3, March 2011. (This document requires the use of Adobe Acrobat Reader). SEC/STD/04. The Use of portable storage devices standard is also available in html format.

  • Information is increasingly being stored, transported and shared on portable storage devices (PSDs) within the Victorian Government. Examples of PSDs include USB memory sticks, iPods, smartphones, MP3 players, digital cameras and laptop/notebook computers. PSDs are rapidly evolving, easy to use, convenient to transport, making them widely used. This practice may expose the Victorian Government to an increased risk of inappropriate information release or access. The government-wide adoption of common policy, standards and processes for information security will enable the Victorian Government to reduce this risk.
  • This standard provides an overview of the risks associated with the use of PSDs, the associated controls and risk mitigation measures that must be implemented, and the rationale for the controls.

Information security - User awareness training - in pdf format (193kb). v1.1, September 2010. (This document requires the use of Adobe Acrobat Reader). SEC/STD/05. The User awareness training standard is also available in html format.

  • Details the requirement to align information security training within agencies to business risk. Alignment provides the basis of risk attestation and a level of assurance that information security risk is being communicated effectively through the agency.

Information Security – Incident Management - in pdf format (191kb) v.1.1, September 2010. (This document requires the use of Adobe Acrobat Reader). SEC/STD/06. The Incident management standard is also available in html format.

  • Each agency will define a governance system including security incident management and incident escalation procedures aligned to ISO 27001 and ISO 27002, and communicate any incident which has the potential to seriously affect the security of other agencies to DTF (GSD) immediately.

Guidelines

Information Security Management Framework: ICT Guideline - in pdf format (112kb). Version 1.0, 20 October 2009. (This document requires the use of Adobe Acrobat Reader) SEC/GUIDE/01. The Information Security Management Framework guideline is also available in html format.

  • This guideline presents reporting templates that may assist departments in responding to the requirements of the Information Security Management Framework Standard. This guideline and its attached templates are for the voluntary use by all eleven departments and the inner budget agencies: Victoria Police, VicRoads, State Revenue Office and the Environment Protection Authority.

Data classification & management implementation: ICT Guideline - in pdf format (261kb) Version 1.0, 28 February 2011. (This document requires the use of Adobe Acrobat Reader) . The Data classification & management implementation guideline is also available in html format.

  • This guideline describes the processes to be followed and documents/templates that may be used in completing Data/Information classification, risk assessment and controls selection for SEC/STD/02 ‐ Information Security ‐ Data classification and management.

Information Security penetration testing guideline - pdf format (194kb) Version 1.0, 1 May 2010. (This document requires the use of Adobe Acrobat Reader). SEC/GUIDE/03 The Information security penetration testing guideline is also available in html format.

  • This guideline will assist departments in their consideration of compliance with Information security - Penetration testing standard SEC/STD/03 and should be read in conjunction with that standard.

Security awareness training framework assessment tool guideline - in pdf format (777kb). Version 1.0, 28 September 2010. (This document requires the use of Adobe Acrobat Reader). SEC/GUIDE/05. The Security awareness training framework assessment tool guideline is also available in html format.

  • This guideline describes: some of the types of Security Awareness Training that may be in place; processes to be followed and documents/templates that may be used when evaluating the security awareness training that is in place and determining any gaps or shortcomings; and steps in completing the self-assessment for security awareness training evaluation tool provided (Self-assessment for Security Awareness Training.xlsx).

Templates

Government Services Division has provided the following information security templates to assist compliance with the policy, standards and guidelines:

  • SEC TEMP 01-1 Compliance report information security templates - October 2009 v1.0
  • SEC TEMP 01-2 Security Policy information security template - October 2009
  • SEC TEMP 01-3 System operational description information security management template - October 2009 v1.0
  • SEC TEMP 01-4 Risk assessment report information security template - October 2009 v1.0
  • SEC TEMP 01-5 Statement of applicability information security management template - October 2009 v1.0
  • SEC TEMP 02 Information classification and management reporting template v1.0
  • SEC TEMP 02-1 Data classification - Project plan v1.0
  • SEC TEMP 02-2 Data classification - Primer slides v1.3
  • SEC TEMP 02-3 Data classification sheet v2.0
  • SEC TEMP 02-4 Data classification report v2.0
  • SEC TEMP 02-5 Data classification - risk report linear v1.0
  • SEC TEMP 03 Information security penetration testing compliance reporting template - May 2010 v1.0
  • SEC TEMP 05 Information security user awareness training tool - September 2010 v1.0
  • WoVG Security reporting template - June 2010 v1.0

Further Information

Contact the Government Services Division, Department of Treasury and Finance.

Bookmark and Share

Added: 27 November 2009 Page views: 7,157 Rating: 3 Votes: 1
Review and rate this Article
Last updated: 7 October 2011