Freedom of Information | Privacy | Data Protection 1

PUBLIC DOMAIN

InformationSheet

PUBLIC DOMAIN

VICTORIAN INFORMATION SECURITY NETWORK (VISN)

Round 2 – Identify and Value Information Assets

Questions / Comments & Answers / Feedback

N.B. Questions and Comments have been noted verbatim

Forum date – 20th September

Questions / Comments Answers / Feedback

Feedback: The BIL table hasn’t worked in any organisation a practitioner has worked in. Instead, the practitioner used the corporate risk management consequence table to tie back to the CIA…

As described in section 17 of the VPDSF Information Security Management Collection, organisations are expected to use the VPDSF BIL table (Chapter 2 – Appendix B) to assess the impacts resulting from a compromise to the confidentiality, integrity and availability of official information.

The VPDSF BIL table does not need to be adjusted, as it contains pre-defined consequence statements and impact levels that offer a standardised model for all Victorian public sector organisations to use. The fixed nature of these statements are critical in ensuring that organisations employ consistent valuation criteria when assessing official information, and in turn enable secure information sharing.

Instead, organisations should modify the descriptions provided under each of the sub categories to suit their specific operating environment. This may be based on their functions, size, resources or information assets and interchange references where appropriate.

Organisations should consider guidance contained in section 10.2.2 of the VPDSF Assurance Collection, which helps describe the relationship between the BIL table and consequence matrix mapping, if they are having issues in applying this model within their agency

Concerns around issues with the concept of ‘open by default’ that can be seen to conflict with the

Principle 1 of the DataVic access policy states that ‘government data will be made available unless access is restricted for reasons of privacy, public safety, security and law enforcement, public health, and compliance with the law’.

Freedom of Information | Privacy | Data Protection 2

PUBLIC DOMAIN

InformationSheet

PUBLIC DOMAIN

Questions / Comments Answers / Feedback

basic security principle of ‘need-to-know’

This principle supports a fundamental security concept under which organisations must first perform an information assessment, in order to determine whether the data is indeed appropriate for release.

An information assessment will also help inform who the data can be shared with (i.e. particular entities or individuals) and whether the proposed audience has a ‘need to know’.

If the information assessment determines that the material should be ‘open’ and available to users (as an assessment has determined that there are no confidentiality restrictions limiting access to the data) then efforts should be made to ensure the continued integrity and availability of this information.

When conducting the BIL assessment which level do you choose when they are different across the CIA?

The BILs form the basis of an information valuation assessment, helping users identify potential impacts arising from a compromise to the confidentiality (C), integrity (I) or availability (A) of official information.

Having finalised an information assessment, users are presented with 2 numbers. A numerical BIL for the:

• C (0, 1, 2, 3, or 4) and

• I and A (0, 1, 2, 3, or 4)

Depending on the potential consequences to the information, different levels / numbers may be identified. Where this is the case, users should refer to the highest impact level selected across the C, I, A, as this indicates the overall value.

Note! The security controls needed to protect the information are dictated by the highest level identified in the assessment. See example below –

Freedom of Information | Privacy | Data Protection 3

PUBLIC DOMAIN

InformationSheet

PUBLIC DOMAIN

Questions / Comments Answers / Feedback

IMPORTANT! Protective markings have a one-to-one relationship with the Confidentiality assessment. If the assessment arrives at a higher rating for ‘Integrity’ or ‘Availability’, the protective marking does not change.

How long does it take to undertake the IAR activity?

Different agencies will approach the development of their IAR in different ways, and as such the timeframe will vary.

Rough time estimates have been provided by different agencies as way of example, however different approaches were adopted in forming their organisational specific IARs -

Commissioner for Privacy and Data Protection (CPDP)

Description of review: 4 main business areas and roughly 20 – 25 staff. Fairly detailed discovery process

Initial information review (discovery) process: 1 – 2 months

Initial populating the IAR: 1 – 2 months

Personnel facilitating / assisting: 1 – 2 Data Protection Branch staff to help facilitate workshops, answer questions and populate IAR template

N.B. Ongoing maintenance of the IAR.

Department of Justice and Regulation –

Description of review: approx. 80 business units

Both the initial information review (discovery) and populating the IAR: approx. 12 months

Personnel facilitating / assisting: Rotation of 2 staff members

Freedom of Information | Privacy | Data Protection 4

PUBLIC DOMAIN

InformationSheet

PUBLIC DOMAIN

Questions / Comments Answers / Feedback

Victoria Police –

Description of review: ‘Light’ discovery process of roughly 40 business units

Initial information review (discovery) and populating the IAR: 3 months

Personnel facilitating / assisting: 1 staff member

How much involvement with IT folk and other registers in place e.g. IT asset register?

When CPDP conducted our information review, we used the shared network drive to identify our initial soft copy information holdings and hard copy files to identify our hard copy information holdings. Moving forward, this will be an iterative process, with new assets added as material is created in both forms.

IT are a useful ally in this process, as are other work areas across the business. Each business unit can help identify different information holdings, and help form important inputs into the central organisational IAR.

A technology solution is not essential to create an organisational IAR, as an excel spreadsheet (as provided in the sample VPDSF IAR template) is more than sufficient to record and manage information assets.

Statement: Integrated set of controls for all ‘CIA’ rather than 2 sets of controls

When an organisation performs a value assessment (using Business Impact Levels (BILs)) they are presented with two outcomes.

• The first being the protective marking for the information(confidentiality assessment).

• The second identifies where enhanced security measuresare required to further protect the information fromunauthorised alteration (where the accuracy of theinformation is paramount) and ensuring that theinformation is available when required. These securitymeasures may be beyond those informed by theprotective marking.

As such, organisations need to consider the overall value of the information and select integrated security measures to maintain its confidentiality, integrity and availability.

There is no requirement to have 2 sets of controls to manage the C and then the IA of information.

Freedom of Information | Privacy | Data Protection 5

PUBLIC DOMAIN

InformationSheet

PUBLIC DOMAIN

Questions / Comments Answers / Feedback

There has been no discussion of using RDA’s in the IAR

The sample VPDSF IAR template does reference Retention and Disposal Authorities (RDAs). Organisations need to consider their own operating environment, as well as any legislative or administrative requirements surrounding their information and records management, when building their own IAR.

Should organisations publish their IAR in their annual report?

Part 2, section 11 of the Freedom of Information Act (1982), requires a statement of certain documents in possession of agencies to be published (ie a comprehensive list of the information assets that are being held).

Where possible, organisations are encouraged to publish authorised IAR content on their websites. Organisations are not required to publish exempt matter, or information prohibited by another enactment or confidentiality provision or where access is restricted for reasons of privacy, public safety, security and law enforcement, public health, and compliance with the law.

Not all IAR items should be published on the website

As referenced above, only approved IAR entries (i.e. content within the IAR that has been deemed appropriate and has been approved for unlimited public release) should be published.

This does not restrict the identification of particular IAR entries that may be sensitive or security classified, but if there are entries where the descriptions surrounding the content need to be restricted, then due consideration should be given to these before publication on a website.

Where do I get the template from though? I can't find it on the website

The following templates are available for download from the CPDP (OVIC) website.

Information Asset Register template – Click here to access a copy

VPDSS Self-Assessment template – Click here to access a copy

Example SRPA template – Click here to access a copy

Current PDSP template – Click here to access a copy

Still unclear if Local Government Authorities (LGAs) need to comply. The Municipal Association of Victoria (MAV)

Please refer to the updated VPDSF Applicability Visual which helps explains the relationship of different agencies to the VPDSF and seek legal advice.

Click here to access a copy

Freedom of Information | Privacy | Data Protection 6

PUBLIC DOMAIN

InformationSheet

PUBLIC DOMAIN

Questions / Comments Answers / Feedback

presentation didn't really answer that for us.

Give us a tool to register assets. By this I mean buy a tool and give access to all government agencies with examples of common reason such as finance HR procurement etc. Use standard classification and PSPF BILs

Chapter 1 – Appendix B of the Information Security Management Collection includes an excel document for organisations to use as a template IAR. This template includes reference to the VPDSF BILs which uses similar wording to the PSPF BILs but has been customised to reflect the Victorian Government operating environment.

The excel template was chosen as it will run in any environment and can be edited to suit the particular needs of the organisation.

For examples of information assets, refer to o Chapter 1 – Appendix A of the VPDSF Information Security Management Collection.

Click here to access a copy

How do we obtain copies of today's slide packs?

Copies of past presentations can be accessed on our website.

Click here to access a copy

My understanding is that LGAs only need to comply if they are Committees of Management for Crown Land Reserves. But what does that mean in practice?

Local Government Authorities (LGAs) should seek their own legal advice on the applicability of the VPDSF to determine whether they need to align with the VPDSF and adhere to the VPDSS. This advice may depend on whether the LGA:

• acts or performs the functions of a public entity. If they dothey need to apply the VPDSF in relation to thosefunctions (Section 5(4) of the Public Administration Act(2004), or

• needs to apply data protection measures as a result ofo Information Privacy Principle 4o Health Privacy Principle 4o Information Sharing Agreements / Memorandums

of Understanding (MOU)o Contractso Other legal, regulatory and administrative

obligation

To assist in these discussions, LGAs should consider the VPDSF Applicability Visual which can be accessed here.

Freedom of Information | Privacy | Data Protection 7

PUBLIC DOMAIN

InformationSheet

PUBLIC DOMAIN

Questions / Comments Answers / Feedback

In practice, this means that LGAs should consider the legal, administrative and regulatory environment in which they are operating and consider the VPDSF Five Step Action Plan.

The key is explaining the "what's in it for me"? How do you do that and what quantifiable reasons can you state on an individual basis?

The business benefits in adopting the VPDSF and following the Five Step Action Plan include (but are not limited to):

• Reduced time in responding to FOI requests (discovery)

• Streamlining business processes based on a soundunderstanding of the information assets supporting corefunctions and activities

• Assist in insurance discussions

• Reduce duplication of effort on a local level

• Assist with information management

• Helping build business cases for increased resourcing

Ensuring that individuals have reliable and timely access to information in order to do their job efficiently and effectively

At what stage do you account for replicas of information (and identify distinct owners)?

Organisations should use the information review as an opportunity to identify duplicate material (both hard and soft copy) and archive or delete additional content where it is no longer required.

This exercise should also help work through the different roles, responsibilities and accountabilities surrounding information assets across the organisations, including identifying originator, owner, and custodians.

Some filled in examples on the sample template would help. Whilst there is no right or wrong - there is definitely 'best practice'when it comes to the applicationof metadata.

OVIC will look to release approved extracts of its own IAR (where appropriate) as an example of what agencies or bodies may look to record in their own register.

Hi, just wonder if you are providing a template or sample of a Data Security plan?

The current PDSP template is available for download from the VPDSF resources page on the OVIC website - Click here to access a copy

Freedom of Information | Privacy | Data Protection 8

PUBLIC DOMAIN

InformationSheet

PUBLIC DOMAIN

Questions / Comments Answers / Feedback

The BIL assessment outcomes slide narrows BIL to ONE number yet IAR template asks us to record 3 numbers (one each for C I A). Which should we record?

In the sample IAR template, the VPDSF requirements tab lists the minimum attributes that organisations should record and actively manage these from a VPDSF perspective. This tab does require organisations to record a BIL number for the Confidentiality (C), Integrity (I) and Availability (A) attributes of the information.

These are not mandatory fields and the template can be customised. For example, some organisations have chosen to add an additional column labeled ‘overall value’ and recorded the highest value they have received from the assessment.

If users choose to perform a value assessment using the BIL mobile app, the final results screen will display an ‘overall’ value, but will also identify individual BIL results for the C, the I and A.

What strategies does DJR recommend for ongoing management and maintenance of the Information Asset Register once complete or drafted?

The IAR should be part of any organisation's assurance process - with links to information management, security, risk and assurance, that way there is an integrated approach which results in an opportunity for streamlining updates and review of the IAR. Tying the IAR to one of these processes and/or ensuring that it appears on a corporate calendar (such as financial and risk attestation processes) will support maintenance, and provides opportunity for the IAR to be an annual item on a governance body's agenda.

Another suggestion is to include a line item in project management processes which notes ‘add to/update the IAR’. This will ensure it is actively considered in any new initiatives as they are introduced into your environment rather than left to a review exercise.

Can DJR share the facilitation guide?

Yes – please write to smaenquiries@justice.vic.gov.au for DJR guides.

For DJR - From your review describe what changes you made, what new value they added to DJR’s objectives and how you measured this extra value?

There were a number of lessons learned through reviewing our IAR project which have informed and improved the departments approach to the next steps. The key takeaways are:

• Taking time to ensuring that the right people are selectedfor content workshops. We found that workshops did notwork well when the participants only consisted of RecordsLiaison Officers and other Information Management andSecurity staff. Rather than this, operational staff shouldalso attend alongside as they add value.

Freedom of Information | Privacy | Data Protection 9

PUBLIC DOMAIN

InformationSheet

PUBLIC DOMAIN

Questions / Comments Answers / Feedback

• Gaining sponsorship from senior executives as there is aneed for whole of department buy in and support up frontto formalise the plan.

• Making sure that the initial engagement with BusinessUnit Heads and Managers included a briefing about theprocess to ensure that those people attending workshopsare able to contribute to the decision making.

• Promote the IAR and its underpinning philosophy ofenabling information sharing.

• Have a structure in place to undertake data collection byBusiness Unit rather that information type or another wayof collating content as it held up well to organisationalchanges.

• Target specific Business Units with a relevant need for aIAR to support your first round of engagement and usetheir example to engage other business areas who maybe reluctant to change.

• Develop business rules and naming conventions andstick to them otherwise you could have to rework thecontent. And always reuse these business rules torework content.

• Tailor workshops – don’t cookie cutter them.Stakeholder’s needs are different. Get to know who youare engaging.

• Reduce the use of jargon and acronyms in workshops. Itcan alienate and intimate staff from joining in aconversation.

• Allow time for data calibration at the end and handover tothe Business Unit; be cognisant of an opportunity to buildthe use of the IAR into business processes such as riskmanagement and attestations.

• Consider other government initiatives when developingthe IAR and where possible build them in to the scope toensure that you are not later having to repeat some of the

Freedom of Information | Privacy | Data Protection 10

PUBLIC DOMAIN

InformationSheet

PUBLIC DOMAIN

Questions / Comments Answers / Feedback

process – be aware of what is ahead and keep informed during the process – scan the environment.

How did DJR deal with the issue "it's not my task, not in my position description"

As public-sector employees, we have an obligation via the Victorian Public Sector Code of Conduct to handle official information in accordance with relevant legislation, and relevant policies and procedures. As the IAR contains information that's pertinent to our obligations under Freedom of Information, and Privacy and Data Protection legislations, we all have an obligation to support maintenance of data in the IAR.

Forum date – 28th September, 2017

Questions Answers

How does VPDSS apply to the higher education sector?

The applicability of the VPDSF and VPDSS for those in the higher education sector varies, as it comes down to the type of organisation (University vs. TAFE) and / or its functions.

As a starting point, please consider the VPDSF Applicability Visual which will help identify if your organisation has obligations in this space and seek legal advice if unsure.

How does this apply to disability sector? Is there an expectation that they need to report?

The applicability of the VPDSF and VPDSS for those in the disability sector varies, depending on the form and function of the organisation.

As a starting point, please consider the VPDSF Applicability Visual which will help identify if your organisation has obligations in this space and seek legal advice if unsure.

What time and people resources would agencies need to put on to develop their IAR?

There is no set amount of time or resources for the development of an organisational specific IAR.

Freedom of Information | Privacy | Data Protection 11

PUBLIC DOMAIN

InformationSheet

PUBLIC DOMAIN

Refer to earlier Q&A around how different agencies have approached this exercise.

How does VPDSS apply to healthcare sector?

As a starting point, please consider the VPDSF Applicability Visual which will help identify if your organisation has obligations in this space and seek legal advice if unsure.

Comment: Learnings by Justice Department about managing engagement - very good summary provided. Very valuable if provided in a tip sheet.

Please write to smaenquiries@justice.vic.gov.au for this tip sheet.

Any tips on how the info asset register stays up to date, many of our registers get made then shelved, only to create a new register a few years later?

In addition to the response to the question “What strategies does DJR recommend for ongoing management and maintenance of the Information Management Asset Register once complete or drafted?” from the 20 September VISN, Justice takes a joined-up approach on the maintenance of our IAR with other business areas such as our information management business area.

This is evident with information collected by the DJR Security Management and Assurance Directorate relating to security information management is shared with the DJR IM area, so that this information can be maintained in one central system (i.e. information pertaining to security, and information pertaining to records disposal classes is maintained in the one source).

There is a commitment to maintaining a single source of truth via the IAR, reducing duplication and re-work by differing areas.

Further, with a formal annual review process, alongside informal means of checks and balances, the IAR improves and evolves. Accordingly, enhancement efforts are more attractive than 'shelving' and starting from scratch.

Would/could the IAR template work as a database (e.g. Access) instead of a spreadsheet?

Organisations are welcome to use whatever tool or system they want as their IAR, recording the attributes outlined in the sample VPDSF IAR template.

An IAR is obviously subject to change, what is considered a reasonable time span between reviews?

This will depend on each organisation as there is no set timeframe for review. Ultimately as time and resources permit, we encourage organisations to update the contents of the IAR to ensure that the business has a reliable central reference point.

Freedom of Information | Privacy | Data Protection 12

PUBLIC DOMAIN

InformationSheet

PUBLIC DOMAIN

Catalysts for review of your IAR may include, but are not limited to:

• mergers, acquisitions or dissolution of business areas orunits

• updated business functions or activities

• changes to business processes or procedures

How does the VPDSS apply to the Vocational and Educational Training (VET) sector and Registered Training Organisations (RTOs) in particular?

VET providers and RTOs with access to Victorian public-sector data may have general data protection obligations rising from contractual obligations or conditions set out in information sharing agreements with a Victorian Government agency or body. These agencies or bodies may require a VET provider or RTO to offer a level of assurance on how their information is secured under these arrangements.

Please consider the VPDSF Applicability Visual which will help identify if your organisation has obligations in this space and seek legal advice if unsure.

Examples seem to use teams to manage this. How are small orgs supposed to manage this with 1-2 staff who will be doing this as another add-on to their day job?

Different agencies will approach this exercise in different ways. This will obviously be influenced by the size, risks and resources of the organisation. Ultimately, it’s not about ensuring all of the measures are in place day one, it’s about managing the risks to official information.

Refer to earlier Q&A around how different agencies have approached the development of their IAR with limited personnel resources to assist.

Is it a set standard to determine the value of the asset using the VPDSF methodology (e.g. sum up C plus I/A rather than considering the highest of C/I/A.)

OVIC provides Business Impact Levels (BILs) as the standard method to assess the value of an information asset. The assessment process is set out in Chapter 2 of the VPDSF Information Security Management Collection

In short organisations need to consider the highest rating received from assessing the C, I and A in order to determine the appropriate security measures required to protect the information asset.

How is developing an Information Asset Register related to developing a Protective Data Security Plan?

The development of an IAR is an essential first step in helping organisations understand what information assets they have across the business and forms an important input into the development of their Protective Data Security Plan (PDSP).

Freedom of Information | Privacy | Data Protection 13

PUBLIC DOMAIN

InformationSheet

PUBLIC DOMAIN

Simply put, organisations can’t protect what they don’t know.

Refer to the VPDSF 5-step action plan to see where each of these steps resides.

I realise we must have a PDSP developed by July 2018 but is there a time limit to when the measures outlined in the Plan itself must be implemented?

Every Protective Data Security Plan will differ. The information types, risks and treatment options available, as well as any existing measures that may already be in place will vary from organisation to organisation. As such it is up to the organisation to develop a realistic work plan and associated timeline to address these risks as appropriate.

Our office will not be mandating a work plan deadline.

Is the Information Asset Register mandatory?

Victorian public-sector organisations operate under a range of legal, administrative and regulatory obligations. These include provisions requiring the publication of information concerning functions etc. of agencies, by comprehensively listing the material it holds (FOI Act, 1982). To meet this provision, as well as other core IM requirements, organisations are strongly encouraged to develop an IAR.

Can the DJR create a tip sheet about how they went about their IAR project in terms of how they carried out their engagement with the different areas of the DJR?

Please write to smaenquiries@justice.vic.gov.au for this tip sheet.

What are the required fields in the IAR and do they have to be completed?

The sample IAR template is split out across 3 main worksheets, with an overview provided on the first tab.

• The first worksheet lists the required fields to assist inmanaging the security attributes of your informationassets. This tab is titled VPDSF Requirements.

• The second worksheet identifies the ‘core’ IMrequirements that organisations should capture toaddress the more common IM legal, regulatory oradministrative references. This tab includes the VPDSFrequirements, but also incorporates references from otherlegislation, policies and instruments across Vic Gov. Thistab is titled Core (inc. VPDSF reqs).

Freedom of Information | Privacy | Data Protection 14

PUBLIC DOMAIN

InformationSheet

PUBLIC DOMAIN

• The third worksheet lists supplementary attributes thatorganisations may want to record against their informationassets. This tab is titled Supplementary.

The fields included in the sample IAR template are not exhaustive, but act as a helpful reference point for organisations to consider when developing their own IAR. The sample IAR incorporates requirements from:

• Victorian Protective Data Security Framework (VPDSF)

• Public Record Office Victoria (PROV)

• Freedom of Information (FOI)

• Department of Premier and Cabinet (DPC) – EnterpriseSolutions Branch

• Victorian Auditor General’s Office (VAGO)recommendations

Some organisations may find they have additional requirements that have not been presented in this spreadsheet, whereas other may identify some references that do not apply to their particular agency or body.

How does developing an IAR link with the Security Risk Profile Assessment (SRPA)?

The SRPA development process consists of four main steps:

1. Risk identification

2. Risk analysis

3. Risk evaluation

4. Risk treatment

The IAR acts as a foundational reference for step 1 (risk identification), as the organisations information assets will be the focus of the SRPA.

For more information on the relationship between an IAR and a SRPA, refer to Chapter 1 of the VPDSF Assurance Collection.