Context
Victorian Government departments and agencies are encouraged to use existing ICT solutions across government. If there are no existing systems, agencies may consider cloud services as a replacement. The Victorian Government Cloud Security publication helps agencies evaluate, purchase, implement and manage cloud-based IT services.
Guidance
The guide outlines four main actions:
Governance
Understand the nature of information being handled by the service
Understand the security capability of the service
Ensure the agency has secured aspects of the service that are the client’s responsibility
Governance
If there is a single agency, that agency is responsible for all governance and risk management activities of the service. However if multiple Vic Gov agencies are using the service, the guide recommends the following roles:
Lead agency — The agency given responsibility to oversee the security evaluation and management planning process
Participating agency — All agencies that use the system are accountable for information security and should be satisfied of the risk management in place
Advisory agency — Departments and organisations that provide specialist support for projects of high significance
Understanding the nature of information being handled by the service
Agencies should rate the value of the information they’re handling using the Victorian Protective Data Security (VPDSF) Business Impact Levels (BILs), along with specific legislative obligations.
Understand the security capability of the service
Agencies should understand the security configuration options of the service they’re considering.
If the information has a confidentiality rating greater than zero, agencies should give preference to cloud providers that have been certified by the Australian Signals (ASD). Note: since this guidance was published, the ASD has been replaced by new cloud security released by the Australian Cyber Security Centre and the Digital Transformation Agency.
Ensure the agency has secured aspects of the service that are the client’s responsibility
Agencies should have a System Security Plan in place to ensure they meet their security responsibilities within the cloud service. Examples of the possible security controls include:
Access to appropriately skilled resources to secure the service
Incorporate appropriate Identity and Access Management (IdAM) from the outset
Ensure secure communications between the client and the service
Establish a security control regime using third-party tools
Take full accountability for application and data security
Salsa Digital’s take
Cyber security is essential to maintain confidentiality and trust between citizens and governments through the secure protection of information, technology and IT infrastructure.
Salsa not only delivers technology and innovation to help governments better engage with citizens, we also understand and construct robust systems that safeguard data from cyber threats and breaches.