The Commissioner for Privacy and Data Protection released the Victorian Protective Data Security Framework (VPDSF) on 28th June 2016. It was drafted in accordance with the Privacy and DataProtection Act 2014 and it provides direction to Victorian public sector agencies or bodies on their data security obligations, along with a scheme for managing data security risks.
OpenGov spoke to Commissioner David Watts to learn more about the framework and the Victorian Government’s approach towards cybersecurity.
What do you see as the primary threats for cybersecurity in the public sector?
My answer might surprise you. One of the most significant cybersecurity threats to the public sector is failure in the personnel security domain. There are inadequate security clearances for public sector staff, inadequate security training. Because our people are inadequately trained, they are more likely to put an infected thumb drive into the USB slot on their computer. Or they are more likely to click on a link in a phishing email. For example, a growing threat to the Victorian public sector is ransomware. Our concern is that at the moment, there is a very large uncontrolled risk in the link between personnel security and cybersecurity.
It’s not the only one, but it is an uncontrolled and significant one. Research shows that a large amount of cybersecurity events are enabled by poor personnel security awareness and training and poor personnel security hygiene.
Recently, the Singapore government announced that internet access would be restricted from work computers from public sector employees from May 2017 onwards.
Singapore is a pioneer across the public sector generally and has robust approaches. We would be very interested in watching what Singapore does and understanding the effects and outcomes. We will be watching Singapore very carefully and learning from the work that it does.
What is your long term vision for the Victorian government IT systems and data security and privacy? Where do you see it in a timeframe of 5 years?
My vision is for the Victorian public sector to have the best technology and the best functionality, but in a way that is respectful of privacy and security. We don’t think there are trade-offs between beneficial, good technology on one hand and data security and privacy on the other hand. We think all those things can be designed together, if the proper approaches are taken. The proper approaches are ‘Privacy by design’ and ‘Security by design’. These ensure that good privacy and good security measures are built into the system from the outset, into high-functioning and elegant technologies and better services for the community.
How do you see the implementation happening of the recently released Victorian Protective Data Security Framework? What are the timelines?
Our main aim is to ensure that the Victorian public sector builds capacity and resilience. Our Assurance approach is to encourage their development through regulatory incentives.
We see a reasonable timeline of 3 years. We would expect organisations to develop compliance with the framework over those 3 years. We are proposing to set yearly targets. We will start with governance because without proper security governance, you have no control over development and rollout.
There needs to be robust executive sponsorship and leadership. Many of the standards in the framework relate to governance. We would wish to see in the first year that organisations move quickly towards adopting proper governance. In parallel to that, efforts have to be made by government departments to do two things. The first is to identify and understand the information they hold. The second is to value that information. The information needs to be classified, for example: Is it to be marked for official use only, or is it to be classified as protected or secret information?
Unless you know what information you hold, and you value it, nothing further can happen! That’s the reason why the first two chapters of our security guide are about valuing information.
How do you deal with concerns regarding variation in procedures and regulations between levels of government and agencies?
That’s an important question because cybersecurity is not only of national interest but also of interest for all of the states. To address that, we have worked very closely with the federal government to produce security standards that provide consistency between us and the federal government but which are also designed to meet the needs of the state government, which has different responsibilities from that of the federal government.
At the national level, we have worked very closely with the Commonwealth Attorney General’s department. We received valuable input and comments from Australia’s law enforcement and national security agencies through the Attorney General’s department.
At the same time, we are working in consultation with the other states of Australia. Some are waiting for us to finish our work. We have been very careful to adopt an approach that is consistent across Australia, but which also serves the need of the government of Victoria.
Our approach is derived from the ISO 27000 series of standards. We have also looked at security approaches in other jurisdictions. We have looked at the NIST standards out of the US. We also looked at Canada, England, New Zealand. In my consultations as privacy commissioner, we had conversations with my equivalent commissioners about developing consistent approaches and about co-operation. It’s a very important goal for Victoria to produce a security framework that will make our partners in the Asia-Pacific region confident enough for co-operation, collaboration and proper information sharing on a regional basis.
Because our approach is based around and consistent with international approaches, we think it would facilitate and support international data transfers. Singapore takes security seriously. I would hope that Singapore and other regional entities will look at our standards and say that Victoria is an appropriate partner. We believe that good security supports and assists in good information sharing.
Could you give some examples of the kind of international collaboration you mentioned?
I think one of the most obvious examples is international law enforcement. Authorities need to cooperate and share information to deal with international criminality. The need for law enforcement agencies is to be able to rely on each other, to protect sources, to protect operational plans, to protect methodologies.
Finance, insurance and telecommunications are other obvious candidates. What we are trying to do is to put in place definitions and building blocks to enable good information sharing in circumstances where it will be required. We want to develop solid foundations, that enable secure and responsible information sharing.
Could you please share your views regarding investment and time required for setting-up and improvement of infrastructure?
Security risk management can be done in a number of different ways. Some approaches rely on heavy investment in ICT infrastructure. It has to suit the practical needs of the enterprise. We think that although there is obviously going to be a need to invest in cybersecurity resources and in physical security, it is best done in an environment that encourages building of capacity. That’s why we take a 3 year approach to our regulatory responsibilities and implementation. We want to see growth in and commitment to the development of capability and resilience. The necessary expenditure would occur over those three years.
But remember, good security governance is not expensive. It requires executive time to make sure it happens and that it is structured and implemented properly.
In order to minimise costs and to make sure that any expenditure on security is a worthwhile expenditure, we have been very careful to link our approach to existing standards and initiatives. For example, our security standards are risk based and they link to the Victorian government’s risk management framework. We have tried to build on existing initiatives. That not only minimises costs but it also minimises regulatory expenses. It also reduces red tape because we are not introducing a new risk management approach. We are building on existing approaches and have tried to dovetail our work with other existing work that is relevant.
Recently a merger of the Office of the Freedom of Information (FOI) Commissioner and Commissioner for Privacy and Data Protection in Victoria was announced. There is an ongoing global discussion regarding the buzzwords of security, privacy and transparency and the overlap between these. Could you please share your views?
For citizens to trust government, they need to be confident that security is dealt with properly, that there is independent regulation over it. It’s important for there to be a trusted regulator who can provide assurances to the public that those issues are dealt with in accordance with best practice. Transparency and accountability are key factors in ensuring that there is confidence and trust.
It’s not good enough for government to say simply that we offer assurances. The public has a right to see it demonstrated. The public has a right to say ‘prove it’. My background before I was appointed to this job was as the security regulator for Victoria police -one of the largest police departments in the world. We have done a lot of security reviews and we made them public. Defects were pointed out, thoughts and ideas for areas for improvement were shared. We continue to do that.
It’s a delicate balance but it is necessary for regulators to be able to ensure that they have the trust of those they regulate and of the broader community in general.