Victorian Government IT networks face constant threat of cyber-attack.
These incidents include online scams and fraud, malware and denial-of-service attacks, and the defacement of government websites. They threaten the safe and reliable delivery of government services and the confidentiality of sensitive and personal information.
Mission 1 aims to strengthen the defences of Victorian Government networks and services equal to the current and emerging threats. This mission will protect the confidentiality and integrity of sensitive information and support the reliable delivery of IT-dependent government services to the Victorian community.
Mission 1 key priorities
The privacy of sensitive information held by the Victorian Government is protected
The Victorian Government creates, collects and holds a significant amount of sensitive and personal information. From people’s medical records to sensitive police data, this information could cause harm to individuals, the community, the economy or the government if made available to the wrong people. This information must be protected to reduce the potential for harm.
Services delivered either online or in the physical world are resilient to cyber-attacks and can be quickly recovered when interrupted
Online services are often a cost-effective and convenient way for Victorians to interact with government. From obtaining a property title to renewing a license, online service delivery provides quick, easy and convenient access to government services. Further, many services delivered in the physical world such as trains, hospitals and water systems are reliant on IT systems. The Victorian Government has a responsibility to ensure the IT systems supporting these services are resilient to cyber-attacks.
Digital communications channels are trustworthy and free from manipulation
The Victorian Government communicates with businesses and individuals via multiple digital channels such as email, social media, online forums and websites. We have a responsibility to maintain public confidence in the authenticity of these communications by reducing the potential for manipulation.
Scope
Mission 1 incorporates the entirety of the Victorian Public Sector as defined by the Victorian Public Sector Commission. The sector comprises 1,817 agencies including 47 public service departments and offices, 1,544 school councils and 226 other public entities. In 2020 the Victorian Public Sector employed around 322,050 people, representing nine percent of Victoria’s workforce (correct at time of publishing).
Target state
Analysis of local and international data shows that while cyber-attacks continue to increase, the most commonly successful cyber-attacks can be prevented by using proven and effective controls. Government will ensure that the IT systems it uses implement a range of baseline information security controls. Critical services will be required to meet a higher minimum standard, which are fit-for-purpose and highly resistant to cyber-attacks.
In line with industry standards, the minimum expectation for government IT systems are:
Identify
We know what IT systems support government services, and we know where data supporting these services resides both within and outside our networks.
All information types and IT systems have been assessed for the harm that would occur if a breach of confidentiality, integrity or availability was to occur.
The monitoring and identification of IT systems occurs in near real time. We understand our threat environment – our cyber-attackers, their motives and their methods. We centrally develop and share intelligence that reduces cyber risk for the public sector.
Protect
All systems have implemented known effective baseline controls to protect against common attacks, including the Essential Eight*. Critical services are highly resistant to cyber-attacks.
Detect
All systems can detect common and unsophisticated attacks. Critical systems can detect sophisticated attacks.
Respond
All government organisations document and test processes for responding to cyber security incidents. These processes are aligned with the State Emergency Management Plan (Cyber Security Sub-Plan) and the Victorian Government Cyber Incident Management Plan. These processes are exercised annually (at a minimum) and updated regularly to support a continuous improvement cycle.
Recover
All government and critical services can be recovered within a timeframe determined by the entity executive. This recovery process is regularly tested.
Actions
Improve visibility and risk governance of IT assets
1.1 Develop an IT asset management guideline in line with Asset Management Accountability Framework (AMAF) and Victorian Protective Data Security Framework (VPDSF) requirements.
1.2 Develop and make available to Whole of Victorian Government (WOVG) training material on IT asset management guideline for both IT staff, line managers and executives.
1.3 Deploy with Victorian Managed Insurance Authority (VMIA) an Essential Eight status monitoring program.
1.4 Work with the National Cyber Security Committee to standardise government third party supplier security frameworks across Australian jurisdictions.
Improve adoption of baseline controls
1.5 Issue guidance on the successful implementation of the Essential Eight.
1.6 Issue Victorian Government recommended security configuration for Office365.
1.7 Issue guidelines for accessing classified information and security clearances for staff within Victorian Government entities.
Improve protection of services delivered via the vic.gov.au domain
1.8 Commence decommissioning unused services currently active on vic.gov.au domains.
1.9 Commence Domain-based Message Authentication, Reporting and Conformance (DMARC) implementation across all email services using the vic.gov.au domain.
Embed security by design as a core foundation principle
1.10 Establish a WOVG Third Party Risk program, embedding security by design as a foundational principle.
1.11 Establish central security architecture capability.
Reduce time and complexity to procure cyber goods and services
1.12 Establish a simple procurement process for Essential Eight related goods and services.
1.13 Set up a deed of standing offer with one or more preferred anti-malware service providers.
1.14 Set up a deed of standing offer with one or more suppliers of IT asset discovery and monitoring tools.
Improve ability to detect and respond to breaches
1.15 Issue log collection and retention guidelines.
1.16 Set up a deed of standing offer with Security Operations Centres (SOC) for critical services.
1.17 Establish a WOVG proactive threat hunting capability to detect new and emerging cyber risks.
Improve resilience of critical services
1.18 Undertake a cyber education program for government executives in critical service operations.
1.19 Work with critical service operators, other states and the Australian Government on issuing consistent cyber regulation and standards for critical services.
*The Essential Eight is a series of baseline mitigation strategies taken from the ACSC’s Strategies to Mitigate Cyber Security Incidents recommended for organisations. Implementing these strategies as a minimum makes it much harder for adversaries to compromise systems. You can learn more about the Essential Eight on the Australian Cyber Security Centre's website.
Updated