akolade data presentation by paul o'connor
TRANSCRIPT
A new data security framework for Victoria’s public sector
Government Data Summit, Canberra
1
Paul O’Connor, Security Audit AdvisorOffice of the Commissioner for Privacy and Data Protection
26 February 2015
Disclaimer…
This presentation is under Chatham House rules:
“participants are free to use the information received, but neither the identity nor the affiliation
of the speaker, nor that of any other participant, may be revealed”
2
Speaker
Date
Scope of this presentationBackground on the speaker
New legislation and a new regulator
The Commissioner for Privacy and Data Protection
The information security context in Victoria
Key drivers for a new approach to data protection
'Best of breed' approach used to develop the Victorian
Protective Data Security Framework
Where to from here?
3
Speaker
Date
Background on the speaker
Work• 5 years as a journalist in Vietnam• 15 years as an officer in the Army Reserve• +15 years in the Federal, Northern Territory and Victorian public sectors• ~12 of these in the ANAO and VAGO
Author of most major ICT audits issued by VAGO over the last 5 years
Currently on secondment to Commissioner for Privacy and Data Protection
EducationBA Asian Studies (VUT)Post Grad Cert in PPPs (Melb.)Master of Public Infrastructure (Melb.)
4
New legislation and a new regulator
In December 2012, the (then) Attorney General announced that the Government
would establish an office of the Privacy and Data Protection Commissioner.
The announcement highlighted the need for an integrated, whole of government
approach to data security, including protective security, as an essential part of
strengthening the privacy and protection of personal information handled by and
on behalf of the Victorian public sector.
New legislation was given bi-partisan support.
5
Commissioner for Privacy and Data Security
Mr. David Watts is the inaugural Commissioner for Privacy and Data Protection.
The new Office was established by the Privacy and Data Protection Act 2014
This new legislation repealed two previous Acts and combined two former Offices:
• Privacy Commissioner
• Commissioner for Law Enforcement Data Security
In addition to inheriting the functions of these previous Offices, the new Act
added responsibility for protective data security standard setting, assurance
monitoring and oversight of Victorian public sector bodies and agencies.
6
Information Security Context in Victoria (1)
As we know, the threat environment is complex, dynamic and sophisticated:• traditional actors (e.g. bored teenagers, hacktivists, insiders)• are being overtaken by the new model of “e-crime-as-a service”• and the extreme technical threats posed by state-sponsored players.
Victoria is ill-prepared for these threats according to the Auditor-General:
“The policy, standards and protection mechanisms for the security of the state’s ICT systems and data have not been effectively applied. Agencies undertake only limited monitoring of suspicious internal network activity, and they do not have a capability to detect an intrusion into sensitive public sector systems.”
- WoVG Information Security Management Framework, Nov. 2013
7
Information Security Context in Victoria (2)
The cyber threat for Victoria is real
According to the Cyber Security Operations Centre’s Cyber Intrusion Activity Report dated August 2013: Australian State and Territory Governments: January–June 2013:
“Between January and June 2013, there were approximately 40 cyber security incidents affecting state and territory governments. Of these 40 incidents, approximately 35 were considered serious enough to require further action and a CSOC response. The networks of the Victorian and West Australian state governments accounted for the highest proportion of cyber security incidents responded to by the CSOC between January and June 2013.”
8
Key drivers for a new data protection approach
Recent VAGO audits identified data protection/information security problems:
- Maintaining the Integrity and Confidentiality of Personal Information (Nov. 2009)
- WoVG Information Security Management Framework (Nov. 2013)
Main issues identified as needing urgent rectification were:
• unenforceable information security policies
• fragmented approaches across agencies
• lack of effective regulation or oversight by central agencies
• contestable standards (ISO vs. COBIT vs. PSM vs. home grown)
• limited practical testing of security (i.e. penetration tests)
• ‘dark terrain’ where there is no policy coverage (i.e. ‘unknown unknowns’)
9
'Best of breed' approach used to develop the new
Victorian Protective Data Security Framework (1)
The new VPDSF will apply to some 2000+ agencies and will require agencies to
take a holistic approach to data security.
• Local governments, hospitals, ambulance, and universities are exempt
We have attempted to take on board recent lessons and focus the work around
observed weaknesses and likely threat vectors such as:
• lack of senior executive oversight/buy-in for information security
• flimsy and/or outdated risk and threat analysis by agencies
• too much focus on technical over personnel controls
• sparse checking and assurance that controls in place actually work
• heavy reliance on outsourcers/shared services but limited visibility of risks
10
'Best of breed' approach used to develop the new
Victorian Protective Data Security Framework (2)
The VPDSF draws on principal elements of existing Whole-of-Victorian-
Government security policies, Australian and international security standards,
policies, schemes, frameworks and benchmarks:
• ISO:27001
• COBIT
• PSM/PSPF
Although aligned with the Australian Government’s PSPF, the new Victorian
standards depart in a number of ways to better support State government service
delivery functions and to reflect contemporary security standards.
11
'Best of breed' approach used to develop the new
Victorian Protective Data Security Framework (3)
The 20 core standards in the VPDSF describe the high-level mandatory
requirements.
The VPDSF comprises of:
• Standards (high level statement explaining what the key principle is)
• Statement of Objectives (key intent of the standard - why)
• Protocols (advice regarding how to meet the standard)
• Guides and Tool Kit (specific resources to assist adoption with the Standards)
These four tiers of the VPDSF are designed to complement each other and provide
agencies or bodies with the necessary information to make risk based decisions
based on business requirements, specific circumstances and risk appetite.
12
13
Speaker
Date
Where to from here?
All key portfolio agencies have been consulted on the draft framework.
The standards are close to finalization and are tracking for release by 1 July 2015
Complementary activities also underway include:
• detailed consultation on the draft standards prior to release
• development and piloting of educational packages
• roll-out of stakeholder engagement plans
• development of standardized documentation and other guidance products
• definition and scoping of a monitoring and assurance system
• development of an incident, referral and intelligence database
14
