Cloud security in Victorian government

Summary: The Victorian Government values cloud services as a powerful, low-cost delivery option to deliver services and provide a significant enhancement to the security of IT systems. The Cloud Security Guidelines help agencies understand the risks associated with the implementation of cloud systems.

Date:
15 March 2021
Author:
Phillipa Martin

Context

Victorian Government departments and agencies are encouraged to use existing ICT solutions across government. If there are no existing systems, agencies may consider cloud services as a replacement. The Victorian Government Cloud Security GuidanceExternal Link publication helps agencies evaluate, purchase, implement and manage cloud-based IT services.

Guidance

The guide outlines four main actions:

  1. Governance

  2. Understand the nature of information being handled by the service

  3. Understand the security capability of the service

  4. Ensure the agency has secured aspects of the service that are the client’s responsibility

Governance

If there is a single agency, that agency is responsible for all governance and risk management activities of the service. However if multiple Vic Gov agencies are using the service, the guide recommends the following roles:

  1. Lead agency — The agency given responsibility to oversee the security evaluation and management planning process

  2. Participating agency — All agencies that use the system are accountable for information security and should be satisfied of the risk management in place

  3. Advisory agency — Departments and organisations that provide specialist support for projects of high significance

Understanding the nature of information being handled by the service

Agencies should rate the value of the information they’re handling using the Victorian Protective Data Security FrameworkExternal Link (VPDSF) Business Impact Levels (BILs), along with specific legislative obligations.

Understand the security capability of the service

Agencies should understand the security configuration options of the service they’re considering.

If the information has a confidentiality rating greater than zero, agencies should give preference to cloud providers that have been certified by the Australian Signals DirectorateExternal Link (ASD). Note: since this guidance was published, the ASD has been replaced by new cloud security guidanceExternal Link released by the Australian Cyber Security Centre and the Digital Transformation Agency.

Ensure the agency has secured aspects of the service that are the client’s responsibility

Agencies should have a System Security Plan in place to ensure they meet their security responsibilities within the cloud service. Examples of the possible security controls include:

  • Access to appropriately skilled resources to secure the service

  • Incorporate appropriate Identity and Access Management (IdAM) from the outset

  • Ensure secure communications between the client and the service

  • Establish a security control regime using third-party tools

  • Take full accountability for application and data security

Salsa Digital’s take

Cyber security is essential to maintain confidentiality and trust between citizens and governments through the secure protection of information, technology and IT infrastructure.

Salsa not only delivers technology and innovation to help governments better engage with citizens, we also understand and construct robust systems that safeguard data from cyber threats and breaches.