victorian protective data security framework … · v1.1 3 inoraion seri manageen ceion victorian...

VICTORIAN PROTECTIVE DATA SECURITY FRAMEWORK (VPDSF)

INFORMATION SECURITY MANAGEMENT COLLECTION

2 V1.1

Information Security Management Collection

This page is intentionally left blank.

3V1.1


VICTORIAN PROTECTIVE DATA SECURITY FRAMEWORK (VPDSF)

INFORMATION SECURITY MANAGEMENT COLLECTION

4 V1.1


Published by the Commissioner for Privacy and Data Protection PO Box 24014 Melbourne Victoria 3001

First published June 2016 Amended May 2017

Also published on: http://www.cpdp.vic.gov.au

ISBN 978-0-6480788-6-9

5V1.1


VPDSF INFORMATION SECURITY MANAGEMENT COLLECTION DOCUMENT DETAILS

Security Classification Unclassified

Dissemination Limiting Marker

N/A

Release Date May 2017

Review Date May 2018

Document Status Final

Document Version V1.1

Authority Office of the Commissioner for Privacy and Data Protection (CPDP)

Author Data Protection Branch – CPDP

For further information, please contact the Data Protection Branch on [email protected]

VPDSF Information Security Management Collection Document Details

mailto:[email protected]

6 V1.1


AMENDMENTS

AMENDMENT NO. DATE DESCRIPTION

1 TBA • Inclusion of new chapter on Managing Information Assets

• Minor adjustments to text and grammar throughout existing chapters

• Any former references to the VPDSF Information Security Guide are now superseded by the VPDSF Information Security Management Collection. This includes legacy references within the VPDSF and VPDSS.

• Numbering of sections throughout the collection

• Typo change to consequence descriptor listed against BIL 1 – Service Delivery

7V1.1


Contents

Introduction ........................................................................................................................................9

1. Background .....................................................................................................................................9

2. Purpose of the Collection ............................................................................................................9

3. Audience ........................................................................................................................................10

4. Use of specific terms in this collection ....................................................................................10

Chapter 1 – Identifying and Managing Information Assets ..................................................... 11

5. Scope .............................................................................................................................................. 11

6. Assumptions ..................................................................................................................................12

7. Legislative and regulatory obligations ....................................................................................13

8. Information Review ..................................................................................................................... 15

9. Define your information assets ................................................................................................ 20

10. Information Asset Register .........................................................................................................21

11. Continually review, validate and update ..................................................................................23

Chapter 1 Appendices – Information Asset Guidance ................................................................25

Chapter 1 – Appendix A – Sample questions and example information assets ............25

Chapter 1 – Appendix B – Sample IAR template .................................................................. 29

Chapter 1 – Appendix C – Information Asset considerations .......................................... 30

Chapter 1 – Appendix D – Suggested Information Management roles and responsibilities .......................................................................................................................33

Chapter 2 – Understanding Information Value ........................................................................ 34

12. Purpose .......................................................................................................................................... 34

13. Assessing the Value of Information ......................................................................................... 34

14. Victorian versus Commonwealth scheme ............................................................................. 39

15. Business Impact Levels (BILs).....................................................................................................41

16. How to read the BIL table .......................................................................................................... 42

17. Contextualising the VPDSF BIL table for your organisation ............................................... 43

18. Working examples ....................................................................................................................... 46

19. Continuous improvement assessment ....................................................................................51

Chapter 2 Appendices – Understanding Information Value ......................................................53

Chapter 2 – Appendix A – Stages of the information value assessment process .........53

Chapter 2 – Appendix B – VPDSF Business Impact Level (BIL) Table .............................. 54

Chapter 2 – Appendix C – BIL Mobile App ........................................................................... 66

8 V1.1


Chapter 3 – Protective Markings ..................................................................................................67

20. Purpose ...........................................................................................................................................67

21. Introduction ..................................................................................................................................67

22. What are protective markings? ................................................................................................. 68

23. Protective markings scheme (Victoria) ................................................................................... 69

24. Protectively marked material from another organisation ....................................................77

25. Legacy classified information ...................................................................................................78

Chapter 3 Appendices – Protective Markings ..............................................................................79

Chapter 3 – Appendix A – Relationship between protective markings ..........................79

Chapter 3 – Appendix B – Common protective markings employed by each State and Territory ............................................................................................................. 80

Chapter 3 – Appendix C – Ready reckoner: How to select an appropriate protective marking ...................................................................................................................... 82

9V1.1


Introduction

1. BackgroundThe Commissioner for Privacy and Data Protection (CPDP) issues security guides to support the Victorian Protective Data Security Framework (VPDSF). All elements of the VPDSF are inter-linked and should not be read in isolation.

The Information Security Management Collection forms part of a suite of supporting security guides provided in the Resources section of the VPDSF.

37

V1.0

Victorian Protective Data Security Framework

Victorian Protective Data Security Standards

Security Training and Awareness

GOVERNANCE

6

Security Obligations

GOVERNANCE

StandardAn organisation must ensure all persons with access to public sector data undertake security training

and awareness.Statement of Objective

To create and maintain a strong security culture that ensures that all persons understand the importance

of security across the core security domains and their obligations to protect public sector data.

Protocol 6.1There is executive sponsorship of a security training and awareness program,

and it is incorporated in the organisation’s personnel management regime.

Protocol 6.2The security training and awareness program is implemented in the

organisation’s personnel management regime.

Protocol 6.3The security training and awareness program is appropriately monitored and

reviewed in the organisation’s personnel management regime.

Protocol 6.4The security training and awareness program is improved and the

organisation’s personnel management regime is updated to respond to the

evolving security risk environment.

ControlsAn organisation should align its security training and awareness program with the better practice

guide Protective Security Guidelines Agency Personnel Security Responsibilities [Security awareness

training] of the Protective Security Policy Framework (PSPF).

Further consideration should also be given to relevant provisions within ISO/IEC 27002:2013

Information technology -- Security techniques -- Code of practice for information security controls

[During Employment] and NIST Special publication 800-53 [Awareness and Training], Security and

Privacy controls for Federal Information Systems and Organisations.

This material should be referenced when conducting assessments against these standards.

36

V1.0



Security Obligations

GOVERNANCE

5

StandardAn organisation must define, document, communicate and regularly review the security obligations of

all persons with access to public sector data.

Statement of ObjectiveTo ensure all persons with access to public sector data understand their security obligations.

Protocol 5.1There is executive sponsorship of the security obligations of all persons, and

they are incorporated in the organisation’s personnel management regime.

Protocol 5.2Security obligations are embedded into the daily functions and activities of all

persons and reflected in the organisation’s personnel management regime.

Protocol 5.3Security obligations of all persons are appropriately monitored and reviewed

in the organisation’s personnel management regime.

Protocol 5.4Security obligations of all persons are improved and the organisation’s

personnel management regime is updated to respond to the evolving security

risk environment. Controls

An organisation should align its security obligations of all persons with the better practice guide

Protective Security Guidelines Agency Personnel Security Responsibilities and Australian Government

Personnel Security Protocol of the Protective Security Policy Framework (PSPF).


35

V1.0



Information AccessGOVERNANCE

4

Security Policies and ProceduresGOVERNANCE

Standard

An organisation must establish, implement and maintain an access management regime for access to

public sector data.

Statement of ObjectiveTo ensure access to public sector data is authorised and controlled across the core security domains.

Protocol 4.1There is executive sponsorship of security requirements, and they are

incorporated in the organisation’s access management regime.Protocol 4.2Security requirements are implemented in the organisation’s access

management regime.

Protocol 4.3Security requirements are appropriately monitored and reviewed in the

organisation’s access management regime.Protocol 4.4

Security requirements are improved and the organisation’s access

management regime is updated to respond to the evolving security risk

environment.

Controls

An organisation should align its access management regime with ISO/IEC 27002:2013 Information

technology -- Security techniques -- Code of practice for information security controls [Access

control].

Further consideration should also be given to relevant provisions within the National e-Authentication

Framework and NIST Special publication 800-53, Security and Privacy controls for Federal Information

Systems and Organisations.This material should be referenced when conducting assessments against these standards.



Resources

Assurance Model

32

V1.0


1Victorian Protective Data Security

Standards

Security Management Framework

GOVERNANCE

Standard

An organisation must establish, implement and maintain a security management fra

mework

proportionate to their size, resources and risk posture.

Statement of Objective

To ensure security governance arrangements are clearly established, articulated, supported and

promoted across the organisation and to enable the management of security risks to public sector

data.

Protocol 1.1

There is executive sponsorship of the security

management framework, and it

is embedded in the organisation’s governance arrangements.

Protocol 1.2

The security management fra

mework is implemented in the organisation’s

governance arrangements.

Protocol 1.3

The security management fra

mework is appropriately monitored and

reviewed in the organisation’s governance arrangements.

Protocol 1.4

The organisation’s governance arrangements are improved and the security

management framework is updated to respond to the evolving security

risk

environment.

Controls

An organisation should align its security management framework with ISO/IEC 27001: 2013

Information Security Management.


33

V1.0



Security Management Framework

GOVERNANCE

Security Risk Management

GOVERNANCE

2

Standard

An organisation must utilise a risk management framework to manage security risks.


To ensure public sector data is protected through the identification and e�ective management of

security risks across the core security domains.

Protocol 2.1

There is executive sponsorship of security risk management, and it is

incorporated in the organisation’s risk management framework.

Protocol 2.2

Security risks are identified and recorded in the organisation’s risk register.

Protocol 2.3

Security risks are appropriately monitored and reviewed in the organisation’s

risk register.

Protocol 2.4

Security risk management is improved and the organisation’s risk

management framework is updated to respond to the evolving security risk

environment.

Controls

An organisation should align its security risk management practices with the Victorian Government

Risk Management Framework (VGRMF).

Further consideration should also be given to the ISO 31000:2009 Risk Management: Principles and

guidelines and HB 167:2006 Security risk management.


34

V1.0



Security Policies and Procedures

GOVERNANCE3

Standard

An organisation must establish, implement and maintain security policies and procedures

proportionate to their size, resources and risk posture.


To set clear strategic direction for the protection of public sector data.

Protocol 3.1

There is executive sponsorship of security requirements in the organisation’s

policies and procedures.

Protocol 3.2

Security requirements are implemented in the organisation’s policies and

procedures.

Protocol 3.3

Security requirements are appropriately monitored and reviewed in the

organisation’s policies and procedures.

Protocol 3.4

Security requirements are improved and the organisation’s policies and

procedures are updated to respond to the evolving security risk environment.

Controls

An organisation should align its security policies and procedures with the better practice guide

Developing agency protective security policies, plans and procedures of the Protective Security Policy

Framework (PSPF).


2. Purpose of the CollectionThe Information Security Management Collection is designed to assist organisations to implement the VPDSS. It provides the following guidance:

Chapter 1 Identifying and Managing Information Assets

This chapter provides a structured approach for Victorian public sector organisations to:

• identify what information assets exist (conducting an information review)

• articulate and define their information assets

• collectively record and manage their information assets (information asset register)

Chapter 2 Understanding Information Value

This chapter provides a common vocabulary and a structured approach to enable Victorian public sector organisations to assess the value of their public sector data (referred to as official information) by identifying the business impacts if official information were compromised.

10 V1.1


Chapter 3 Protective Markings

This chapter provides guidance to Victorian public sector organisations on protective markings (i.e. what protective markings are available under the VPDSF and the basis for these).

3. AudienceThis Collection is intended for Victorian public sector organisations (including employees, contractors and external parties) that are subject to the protective data security provisions under Part Four of Victoria’s Privacy and Data Protection Act (2014).

4. Use of specific terms in this collectionPlease refer to the VPDSF Glossary of Protective Data Security Terms for an outline of terms and associated definitions.

4.1 What is an information asset?

An information asset is described as a body of information, defined and practically managed so it can be understood, shared, protected and used to its full potential. Information assets support business processes and are stored across a variety of media and formats (i.e. both paper based as well as electronic material).

Information assets have a recognisable and manageable value, risk, content and lifecycle.

An information asset can be a specific report, a collection of reports, a database, information contained in a database, information about a specific function, subject or process.

https://cpdp.vic.gov.au/images/content/pdf/data_security/20160628_VPDSF_Glossary_of_Protective_Data_Security_Terms_V1.0.pdf

11V1.1


Chapter 1 – Identifying and Managing Information Assets

CPDP would like to acknowledge the assistance given in the development of this guide by the Public Record Office Victoria, DataVic Access Policy Team (Department of Treasury and Finance), Freedom of Information Commissioner, Enterprise Solutions Branch (Department of Premier and Cabinet), Victorian Auditor Generals Office, Victorian Information Management Group and the Information Management teams within the Victorian Department of Health and Human Services, Department of Education and Training and Department of Justice and Regulation.

5. ScopeThis chapter supports the VPDSS information security standards. Additionally the activities set out in this chapter will assist your organisation in:

• developing its Security Risk Profile Assessment (SRPA) and Protective Data Security Plan (PDSP).

CPDP

• meeting the requirements of the Victorian Government Standard for Information Management – Information Asset Custodianship which requires significant information assets to be registered, and assigned to an accountable custodian

DPC

• identifying what information (datasets) might be suitable for release under the Department of Treasury and Finance (DTF) DataVic Access Policy and associated Guidelines

DTF

• identifying high value and high risk information assets that impact the business

PROV & CPDP

• identifying which information assets have the potential to be shared and integrated, inform decision making and offer insight (supporting key outcomes of the Victorian Government IT Strategy)

DPC

• managing public records and implementing disposal programmes in accordance with the Public Records Act (1973) and Public Record Office Victoria Standards

PROV

• considering what release provisions relate to specific information assets, set out under the Freedom of Information Act (1982)

FOI

• adhering to the requirements set out under Part Two of the Freedom of Information Act (1982) which requires the publication of information concerning functions, etc. of agencies by comprehensively listing the material it holds.

FOI

http://www.enterprisesolutions.vic.gov.au/it-strategy/

http://www.prov.vic.gov.au

http://www.prov.vic.gov.au

12 V1.1


6. AssumptionsThe activities set out across the following chapter are predicated on organisations having basic records management practices in place, and these practices operating effectively.

Public Record Office Victoria (PROV) sets standards for the efficient management of public records under Section 12 of the Public Records Act 1973. The standards apply to all records created by the Victorian Government and detail requirements for the creation, maintenance and use of these records. This guidance supports the PROV standards, based on essential recordkeeping activities.

Organisations should look to PROV material for further guidance on good records management principles and practices.

Organisations who have Information or Records Managers will be well placed to help drive the actions set out in this chapter.

13V1.1


7. Legislative and regulatory obligations

7.1 Understand legislative and regulatory context

Before undertaking any of the suggested activities or actions outlined in this chapter, your organisation should first consider the legal and regulatory environment in which it operates. This includes understanding any governance arrangements that your organisation has in place, adressing the management and registration of its information assets. These details will help inform the development of your organisation’s information asset register (IAR) and what details are ultimately captured in this tool.

7.1.1 Legal and regulatory references

The table below provides sample legal, regulatory and administrative requirements governing the management of information assets in Victorian Government. This is not an exhaustive list, but acts as a reference point for your organisation to consider. Some organisations may find they have additional requirements that have not been presented in this table, whereas other organisations may identify some of references that do not apply to their particular agency or body. 1

REFERENCE TITLE / DESCRIPTION

Victorian Protective Data Security Framework (VPDSF)

The VPDSF is the overall scheme for managing protective data security risks in Victoria’s public sector, issued under Part Four of the Privacy and Data Protection Act (2014).

Public Record Office Victoria (PROV)

PROV standards and policies assist Victorian government bodies with managing their information assets in accordance with the Public Records Act (1973).

DataVic Access Policy (DataVic)

The DataVic Access Policy is applicable to all agencies (that is, all Departments and Public bodies) of the State1.

1 N.B. ‘Department’ and ‘Public body’ in the context of the Data Vic Access Policy are defined in the Financial Management Act (1994). Public bodies include State business corporations and statutory authorities.’

14 V1.1


REFERENCE TITLE / DESCRIPTION

Freedom of Information (FOI)

The Freedom of Information Act (1982) applies to Victorian state and local government agencies. This includes Ministers, State Government departments, local councils, public hospitals, most semi government agencies and statutory authorities.

Under Part 2 of the FOI Act, organisations are required to identify their information assets for material to be released under FOI.

Establishing an organisational IAR will help achieve this.

Whole of Victorian Government (WoVG) Information Management Principles – (IM/GUIDE/00)

Principle 1: Information is recognised as a valuable asset

Principle 2: Significant information assets are managed by an accountable custodian

Principle 3: Information meets business needs

Principle 4: Information is easy to discover

Principle 5: Information is easy to use

Principle 6: Information is shared to the maximum extent possible

Former WOVG SEC STD 02 – Critical Information Infrastructure (CII)

Enterprise Business Solutions (ESB) has confirmed that WoVG Sec STD 02 has been withdrawn with reference to Chapter 1 of this collection – VPDSF sample Information Asset Register. Any former requirements for an organisation to account for CII material are addressed in the fields outlined in the VPDSF IAR sample template.

Victorian Auditor General’s Office (VAGO) – Access to Public Sector Information Report (December, 2015)

This report considered access to public sector information (PSI) and whether whole-of-government leadership and oversight has supported improved performance.

“Access to PSI would foster creative, innovative and often unanticipated entrepreneurial activities when businesses and citizens are allowed to use PSI to create products and services. Open access also enhances engagement between citizens and government on critical policy issues leading to broad economic and social benefits.”2

2

2 Victorian Auditor General’s Office (VAGO) - Access to Public Sector Information Report (December, 2015)

15V1.1


8. Information Review

8.1 What is an information review?

An information review is the starting point in helping your organisation evaluate the relationship between its information assets and the way in which these assets support the business needs of your organisation. An information review typically involves surveying all areas of the organisation to help identify what information assets exist, consulting with all business units and stakeholders.

When conducting an information review, it is critical that you champion information as a business asset in its own right, as opposed to simply considering the technology used to capture or manage the material.

Outcomes of an information review will be used to:

• inform the definition of an information asset for your organisation

• record these information assets in your organisation’s Information Asset Register (IAR). This register will differ from organisation to organisation3.

Having completed an information review, your organisation is positioned to effectively consider protective data security risks. The knowledge you gain from this review will prove to be an essential input into your organisation’s risk register4, as risk assessments cannot be properly undertaken without first identifying the assets that may be at risk5.

8.2 Conducting an information review

There are no specific requirements on how you should conduct an information review as each organisation has varied needs and will use their resources differently. The way in which your organisation completes an information review will depend on its size, resources, complexity and information holdings.

The following actions provide practical suggestions on how you may complete an information review.

ACTION NO. ASSOCIATED ACTIVITY

Action 1 Define the scope of the information review

Action 2 Establish a sponsor for the information review

Action 3 Identify key personnel (roles and responsibilities)

Action 4 Draft communications

3 See Section 11 of this Chapter for more information on Information Asset Registers

4 Any security risks captured in the organisational risk register should be reflected in the organisations Security Risk Profile Assessment (SRPA)

5 Organisations should refer to the Victorian Government Risk Management Framework for further information on the risk management process.

https://www.vmia.vic.gov.au/risk/victorian-government-risk-management-framework

16 V1.1


ACTION NO. ASSOCIATED ACTIVITY

Action 5 Determine how you will collect and capture responses from the business

Action 6 Review existing resources

Action 7 Engage all stakeholders and provide ongoing support

Action 8 Review responses and record outcomes into your organisation’s Information Asset Register (IAR)

Action 1 – Define the scope of the information review Check the box once you have finalised this action

It may be useful to take a staged approach when conducting an information review by focusing on particular business areas or business processes that you intend on reviewing first. Organisation’s should initially consider their core business functions, critical services or identified areas of risk and, as resourcing permits, expand to include all the organisation’s functions and information assets. To do this you should:

• prioritise initial efforts by focusing on the most important business activities and related information

• ensure the review captures all types of information irrespective of format (i.e. both soft and hard copy material need to be included and captured under the review)

• ensure you consider all information locations (i.e. hard copy material should include both onsite and offsite work places, as well as archived material that may be managed by an outsourced service provider, and for soft copy material this may include storage of material on corporate systems, cloud environments, and even employees personally owned equipment or personal computing devices).

Action 2 – Establish a sponsor for the information review Check the box once you have finalised this action

Any governance and management arrangements for an information review will need to be agreed by senior management before commencing. This agreement will form an important basis for the engagement with different stakeholders across your organisation.

To help support this engagement, your organisation should appoint a senior management sponsor or champion who understands the benefits of an information review and who will support and oversee the review activities. This may be the Chief Information Officer (CIO), Director, or for smaller organisations the public sector body head.

To help frame expectations, you might draft a briefing paper to help outline what will be addressed as part of the review. This briefing paper may also be used as a basis to develop a business case to ensure appropriate resourcing and funding is allocated to the project or subsequent projects.

17V1.1


Action 3 – Identify key personnel (roles and responsibilities) Check the box once you have finalised this action

Now that you have a sponsor, you should look to identify key personnel who can help with the review. This will include gaining a thorough understanding of any existing information management (IM) governance arrangements as well as an understanding of the various IM roles and responsibilities across your organisation. Each role will play a different part in the assessment, review and management of the information across its lifecycle.6

Action 4 – Draft communications Check the box once you have finalised this action

Begin by drafting up communications to support the information review. These communications should:

• ask whether there are any known or documented information assets,

• provide instruction and direction on how to identify different information assets, as well as

• how business units are expected to review their information holdings (discovery exercise).

These instructions will help establish a baseline on what attributes or elements the business should consider when reviewing their information holdings, identifying information collections and attempting to group their material into information assets (both soft and hard copy).

Action 5 – Determine how you will collect and capture responses from the business

Check the box once you have finalised this action

You may choose to use a survey or questionnaire to help business areas identify what information assets exist in individual work units. This can take the form of a written document or perhaps a set of interviews or focus groups with stakeholders drawn from across the organisation.

Each option has benefits and drawbacks. Responding to questions can take time and resources, so be mindful of this when drafting the information review requirements. Any subsequent analysis of the responses can also be challenging if the questions are not framed with a clear understanding and purpose in mind.

Sample questions and example information assets are outlined in Chapter 1 – Appendix A of this Collection.

Alternatively you may consider providing access to, or a copy of the sample IAR to individual business areas as an information-gathering tool for users to input directly into. This will reduce effort in translating a wide variety of responses into a single format, but may mean you have to provide additional assistance to business units seeking help in understanding what each field on the IAR means for their particular information holdings.

6 See Chapter 1 – Appendix D for more information on suggested Information Management roles and responsibilities

18 V1.1


Action 6 – Review existing resources Check the box once you have finalised this action

Reduce, reuse, recycle existing resources wherever possible.

Some organisations employ techniques to monitor their information holdings, and may already have resources in place that it can use to help identify what information assets exist across the different areas of its business. Other organisations may have manual processes or tools that they use to map different information types across the different areas of its business.

Consider what resources exist in your organisation. These could include:

• existing documentation from previous information audits (maybe recorded in a register),

• records management system(s)

• information sharing agreements (i.e. Memorandum’s of Understanding (MOUs), Letters of Understanding (LOUs), contracts)

• approved retention and disposal authorities (RDAs)

• technical environment registers

• configuration management databases or asset lists

• lists of information required to be reported externally (which may be found in contracts / funding documents).

Wherever possible re-use and adapt these existing resources as they can provide a basic foundation to build and develop an understanding of the different information assets across the organisation. There will almost certainly be additional information needed to gain a holistic understanding of all information assets, but this is a good opportunity for business areas to validate the currency of the content or fill in the gaps.

Older information may also be used as a ‘baseline’ for organisations to tailor questions or considerations when reaching out to the different business units.

Action 7 – Engage stakeholders and provide ongoing support


Consultation with all areas of the business is essential when attempting to understand the different functions, activities, systems and technologies used across the organisation. Use your network of key personnel (owners, stewards, custodians, users, administrators) to push out the information review to the respective work group and business units.

Organisations should consider including external stakeholders in this discussion, who either rely on or provide information to different areas of the business. This type of engagement will help inform additional attributes that the organisation may want to record in its information asset register (i.e. informing access requirements).

When conducting the information review, be sure to communicate the business benefits in completing this exercise. These benefits may include:

• providing better visibility on what information assets exist and how these need to be managed (including understanding what tools and measures are required to manage the information and enhance business operations)

• identifying strengths and weaknesses of particular information assets

• mitigating risks and forming contingency plans (including the prioritisation of any efforts or resourcing to manage these assets)

• managing regulatory requirements for information assets (i.e. records management, FOI, security, open access, etc.)

19V1.1


• archiving or destroying redundant data (material that has no ongoing business benefit and is disposed in accordance with PROV Standards and Policies)

• using existing information assets to their full potential (reducing duplication of effort)

• potential cost savings (information that is rarely or no longer used on a daily basis may be moved to cheaper long term storage)

• increasing efficiencies (discoverability), effectiveness (information sharing potential), and economic gains (managing risks to the information and using the material to its full potential)

• assisting with interagency information sharing and interoperability as well as providing a valuable basis for sharing with industry and research partners.

By completing an information review, your organisation is properly positioned to understand the potential impact of change on its information assets and make informed decisions about where to prioritise investment in ensuring the continued usability of its information.

If you receive resistance from the business in completing the review use your executive sponsor (identified in Action 2) to support your engagement strategy. Be prepared for questions and requests for additional support and guidance from the business when conducting the information review.

Action 8 – Review responses and record outcomes into the IAR


Once you have conducted the information review, the details you have collected on the different information holdings now need to be recorded into the organisations Information Asset Register (IAR)7. Section 11 of this Chapter provides additional insight into IARs.

CPDP has drafted a sample IAR template (supplied in Chapter 1 – Appendix B) sets out some of the more common legal and regulatory obligations for the majority of Victorian public sector organisations. If you intend to use this template as a basis for your own organisational IAR you will need to tailor it to ensure it reflects the unique operating requirements of your organisation.

7 See Section 11 of this Chapter for more information on Information Asset Registers

20 V1.1


9. Define your information assets

9.1 Defining your organisation’s information assets

There is no set process on how your organisation defines what is and isn’t an information asset, as the definition should reflect your own unique business requirements.

Instead, you should define your information assets at a level of granularity that allows any individual components to be managed usefully as a single unit. Too broad and your organisation will not have enough detail to properly manage the material, too fine and it will have thousands of information assets.

The core attributes (or metadata) used to define or describe an information asset will vary from organisation to organisation. These attributes should describe specific features or characteristics of individual information items that can be grouped into a broader form that makes sense to the organisation. This may be based on specific collections, functions, subjects or processes. This broader form is then considered an information asset for that particular organisation.

9.1.1 Where to start

Start by broadly defining and describing the core attributes of what you would expect the asset to entail and then split the information groupings until they are of a suitable size. By establishing a baseline of what attributes are to be used to describe an information asset, your organisation can then begin to identify and group material that has ‘like’ or ‘related’ attributes.

By carefully drafting these definitions business units will be able to refer to these (and any associated questions) for direction on what they should include or exclude as part of their responses in an information review8. This initial process can be somewhat complex as information assets may be made up of individual items that need different solutions to address the same business need. At times a piece of information could logically belong in two different information assets, however try to simply reference these ‘linked’ information pieces and nominate a single information asset as the master asset. This will help reduce conflicts around ownership and control, which can lead to potentially complex business relationships.

9.1.2 What to consider when defining your information assets

The following considerations may help you decide whether individual information items can be logically grouped together into a broader information asset. These considerations include:

• Business context

• Externally sourced information

• Business classification (records management)

• Legal, regulatory or administrative obligations

• Business engagement.

Each of these considerations and supporting comments are captured in Chapter 1 – Appendix C of this document.

Remember! There is no right or wrong way to group information assets, however organisations should ensure any information groupings are consistent and relevant to the organisations operating requirements.

8 See Section 9 of this Chapter for more information on conducting an information review

21V1.1


10. Information Asset Register

10.1 What is an Information Asset Register?

An Information Asset Register (IAR) is a tool that organisations can use to record collections of information (information assets) regardless of media or format.

An IAR also helps avoid any unnecessary duplication of information and delivers value back to the business by identifying what information resources exist and provides the organisation (and responsible parties) with an overview of the information assets under their care.

An IAR can be a useful tool for users, managers and the broader business as it supports:

• the foundation and formulation of information management priorities and strategies

• governance arrangements (identifying at a high-level what information assets exist, the purpose of these assets, and the roles and responsibilities surrounding the access, use and management of the information)

• quality, evidence based decisions to deliver efficient, effective and economic business programs

• the identification of key information assets and systems (basis for business continuity programs and disaster recovery plans)

• preservation and archiving plans for both digital and hard copy material (PROV requirements)

• important conversations regarding the protection of the information (i.e. what security measures are needed to maintain the confidentiality, integrity and availability of the information asset)

• the identification of particular information assets that may be appropriate for public release (in support of the Data Vic Access policy and Freedom of Information (FOI) requirements)

• communicates back to the business, what information exists across the organisation.

10.2 Developing an organisational IAR

Once your organisation has finalised its information review, the outcomes of this review need to be recorded in a central register. To do this, your organisation should design and develop its own IAR in which details of each information asset can be captured. The organisation’s IAR needs to be structured in a way that it is easy to see what is affected if there are changes to the information or business.

The way that your organisation develops its IAR will depend on its business objectives, the resources it has available and the legislative or regulatory requirements that the agency or body operates under. In Victorian government, public sector organisations operate under a variety of legal and regulatory obligations that direct how they are expected to access, use, secure and preserve official information9. These obligations, combined with your organisations specific business needs, form an essential basis for determining what material should be captured, recorded and managed in your organisational IAR.

The following categories offer high-level guidance on what categories your organisations may record in its IAR:

• Overview / Description

• Governance arrangements (roles and responsibilities)

• Information value/business impact assessment outcomes (security assessment of the confidentiality and any accompanying protective markings, as well as the impact level for integrity and availability)

• Usage, access and release arrangements

• Coverage

9 Refer to the VPDSF Glossary of Protective Data Security Terms for a definition of official information

22 V1.1


• Business services

• Risks.

Each of these high level categories are set out in detail in the sample IAR, with particular fields identifying unique details or attributes of each information asset. Your organisation should also consider any externally sourced or generated material, as it may also need to be recorded within the organisational IAR.

If you are unsure whether something meets the definition of an information asset, record it within the information asset register until such time that you can be review or refine this record in subsequent assessments.

10.2.1 Selecting an IAR tool

Before building or procuring a tool for your IAR, first consult with the business to see if a tool is already available that could be used as a basis for an IAR where material can be inputted into, or extracted from. Where a tool does not already exist, organisations may look to build a spreadsheet or document as an initial mechanism to record their information holding details.

10.2.2 Sample IAR

To assist organisations in developing their own IAR a sample template has been included in Chapter 1 – Appendix B. Organisations may use this as a reference when developing their own organisational specific IAR. The sample IAR template, incorporates requirements from:

• Victorian Protective Data Security Framework (VPDSF)

• Public Record Office Victoria (PROV)

• Department of Treasury and Finance (DataVic Access Policy)

• Freedom of Information (FOI)

• Victorian Auditor Generals Office (VAGO) recommendations

• Department of Premier and Cabinet – Enterprise Solutions Branch.

N.B. Each organisation must consider their own specific operating requirements when defining what is and isn’t appropriate to include in their organisational IAR, adding or removing certain fields as required.

The sample IAR template does not include all possible fields that may need to be included in an IAR, as different organisations have different legal and regulatory obligations.

23V1.1


11. Continually review, validate and update

11.1 Review, validate and update the IAR

Your organisation should regularly review the status of its information assets and update both the content within the IAR and the IAR fields (at least annually or if there is a significant change to the organisation’s risks or operations). This will ensure the currency of the data gathered, as well as being able to amend or update information asset management plans to reflect any changes or developments in the organisation’s core business.

Key areas to consider include, changes to:

• the status (i.e. active or in-active material or perhaps legacy information)

• the legal or regulatory environment in which the organisation operates

• any information inputs or outputs (e.g. new or updated or information sharing arrangements, or even the cessation of existing arrangements; the provision or receipt of information based on new or updated engagements with external parties or contracted service providers)

• the frequency of publications and the currency of the content in the IAR

• the security value of the material10

• confidentiality requirements of the material. If the confidentiality conditions are reduced, then this may introduce information release opportunities

• interoperability opportunities. Organisations should consider the overlaps between information processes, program management and project management methodologies, as well as any business process improvement initiatives to ensure that the currency of their information assets is maintained. For example, a project may need to update the organisation’s IAR and their associated roles and responsibilities due to the implementation of business processes and systems that create or use new information assets

• contracted service providers (CSP) arrangements and any inputs they may have to the IAR content or requirements. CSP arrangements can include external personnel working with the organisation’s information or looking after the organisations infrastructure or systems (e.g. outsourced ICT providers)

• definitions and groupings as these may also change over time (e.g. a particular project’s information assets may contain archived items that have been moved in long-term storage. Throughout the project lifecycle more material is created and other material is no longer actively used. This inactive material may be added to the archived information asset, which may continue to grow over time). Alternatively, the organisation may refine the way in which it articulates or defines an information asset, introducing additional granularity in its description. These changes need to be reflected in the IAR as definitions and groupings naturally evolve.

10 Refer to Chapter Two of this collection, for more information on how to assess the security value of information – ‘Understanding Information Value’

24 V1.1


11.2 Review governance arrangements

Your organisation should ensure that its IAR is itself recorded as an asset in the register11 as well as defining a permanent owner and respective custodian of the IAR. This could be the organisation’s CIO or information manager (as opposed to owners of the particular information assets described within it) who is ultimately accountable for the oversight , management and maintenance schedule for the tool as well as ongoing engagement with the business. Depending on arrangements within your organisation, you may also consider identifying responsible officers in each business unit to maintain the currency of each units input to the IAR. This will assist in ensuring that the information assets identified in the register are appropriately recorded, stored and maintained, and are accurate and not unnecessarily duplicated.

Should roles and responsibilities across your organisation change, these details need to be updated in the IAR. This may be due to new delegations being introduced, new personnel being on-boarded or the discontinuation of particular roles or functions.

If your organisation undergoes a significant change to its operating environment (like a machinery of government change prompting a merger or disassembly of some areas of the business) then these details also need to be updated and reflected in the IAR.

11.3 Manage change

Once your organisation has developed a comprehensive understanding of its current information assets and any associated requirements, it will find itself much better placed to assess how these changes could affect its information assets. Changes may inlcude adjustments to the information assets themselves, how they are managed, or potentially the technology supporting them or the business requirements driving them.

For specific changes, your organisation should undertake impact and risk assessments to identify appropriate mitigation actions as well as plan for contingencies. Your organisation may also use this information to improve its change management processes and assist with future change planning.

Finally, your organisation must ensure that the management of the IAR itself is considered within broader organisational change management processes. If the IAR is not updated when changes occur, it becomes redundant and misleading.

11.4 Consider your information management requirements

Alongside having the right tools to support the organisation’s information requirements, there are likely to be information management processes needed to support the delivery of the requirements.

The creation of an organisational IAR and the process of assigning appropriate governance roles may highlight to responsible personnel their obligations and outcomes in managing and maintaining these information assets. This may mean crafting guidance on how to meet these obligations, such as updating and/or enforcing metadata, information access and release policies, security policies, or providing relevant training and guidance on how and where to store information.

11 The IAR is a permanent record under PROS 07/01 General Retention and Disposal Authority for Records of Common Administrative Functions Version 2009 RDA

25V1.1


Chapter 1 Appendices – Information Asset Guidance

Chapter 1 – Appendix A – Sample questions and example information assets

Sample Questions

The below table presents sample questions that organisations may use in a broader questionnaire as part of their information review.12

SAMPLE QUESTIONS COMMENTS

What are the core information assets created or used in each business area?

Request a title and description (overview) of each information asset

What format is information stored in (soft or hard copy)?

For soft copy material, identify what digital format this takes (e.g. .doc, .ppt, .xls)

Where is the information stored? On a shared drive, database, EDRMS, or physical location if in hard copy form?

Request details of the soft copy location (i.e. pathway) or physical storage location of where the material is actively used

Who are nominated owners and custodians of the information asset?

Request a title and contact details for each information asset

What is the status of the information asset?

i.e. is the information actively used, or is the information inactive or considered legacy information?

What is the assessed business impact level (BILs) for the information asset?

This involves an assessment of potential compromise to official information – confidentiality, integrity and availability and applying a BIL rating12

Is the information used as input or output of a business process?

Request a brief description of the business processes

12 See Chapter 2 of this Collection for steps on how to assess the value of information.

26 V1.1


SAMPLE QUESTIONS COMMENTS

Is the information used in a decision making process?

If yes, request a brief description of the business making processes

Is the information used to evaluate a business rule or condition?

If yes, request a brief description of the business rule

Is the information subject to any information sharing agreements or arrangements (this can be formal or informal)

If yes, request a brief description of the agreements or arrangements

27V1.1


Sample Information Assets

The following high level information assets are offered purely as examples.

Depending on how an organisation defines it’s information assets, as well as it’s understanding of it’s information holdings will inform what material is ultimately recorded in the organisational IAR.

SAMPLE INFORMATION ASSETS COMMENTS

A database of contacts Each entry in the database may not need to be treated individually; the collection of pieces of data may therefore be considered one information asset. All the pieces of information within the asset will have similar risks associated with privacy and storage of personal information.

All files associated with a specific project

This might include spreadsheets, documents, images, emails to and from project staff and any other form of records. All the individual items may be gathered together and treated the same as they have similar definable content, and the same value, business risk and lifecycle.

All the financial data for an organisation may be considered a single asset

There are very specific risks to the business if this information is mismanaged and you may also have an obligation to provide transparency of information, which could be problematic.

HR records These can be collections of hard and soft copy communications and documents related to the employment of an employee stored under the person’s name or identification number, including but not limited to: forms, letters, memos, reports, lists, e-mails, etc. The records serve as the historical record of information pertaining to an employee from date of hire to separation, and contain some pre-employment and post-employment information. This can also include records covering employment, position classification, wage or salary, employee relations, performance management, training, organisational development, attendance and paid time-off usage, etc.

Budget papers This may consist of the budget speech, budget highlights, four budget papers, Ministerial statements, and portfolio budget statements. Ministerial media releases and budget kits can also be useful sources of information.

28 V1.1


Information that shouldn’t be considered an information asset

Systems, applications and databases that collect, manage or store information are not information assets, however the information contained within them is. The level of granularity that an organisation defines its assets may evolve, as the organisation matures in it’s understanding of what it has.

It is unlikely that an organisation could treat all the content in its records management system as a single asset as the content is likely to cover a diverse range of unrelated topics, each requiring different maintenance and management. Depending on the content in the system, certain records may be grouped into similar types and ultimately considered an information asset.

It is important to note that ‘Unofficial’ information (such as personal correspondence) should not be considered an information asset of the business, despite sometimes being captured on official organisational systems (i.e. email systems).

29V1.1


Chapter 1 – Appendix B – Sample IAR template

Example visual shown below – Full version available in excel spreadsheet (Version 1.0)

To access a copy of the sample IAR template click here.

https://www.cpdp.vic.gov.au/images/content/pdf/data_security/20170504%20VPDSF%20Sample%20IAR%20Template%20V1.0.xlsx

https://www.cpdp.vic.gov.au/images/content/pdf/data_security/20170504-VPDSF-Sample-IAR-Template-V1.0-2.xlsx

30 V1.1


Chapter 1 – Appendix C – Information Asset considerations

CONSIDERATIONS SUPPORTING COMMENTS

Business engagement

Consider how each of your business units currently use or engage with certain pieces of information in their day-to-day work. This engagement may assist you in logically grouping individual items into a broader information asset that reflects operational business needs.

The use of ‘like’ or ‘related’ material doesn’t have to be based on an ICT system or application, but may be informed by a business, function or activity.

Some probing topics and associated questions to consider include:

Work with or use

Consider the functionality that your organisation requires from its information, how the material is used and what your organisation needs to do with it, e.g. create, modify, access, sort, store, transmit. This area may overlap with the access requirements in that there may be different groups of users who need to access the information in different ways.

For example it is unlikely that your organisation will treat all the content in its large information storage system such as a records management system or data warehouse as a single information asset. These systems or holdings are likely to cover a diverse range of unrelated topics, which can mean different measures (including security measures) are needed to properly manage this information across its lifecycle. Depending on the content, certain records may be grouped into similar types.

• How does the business use or work with the information?

• What does the business need to do (functionality, business services, etc.) with the information?

• What tools (this can be systems, hardware or software) are needed to work with the information?

Usability covers everything from discoverability of the information, through how the information assets are accessed and what is done with them.

Your organisation should consider current information usage requirements as well as future requirements (as these requirements may change over time). Operational record requirements (i.e. retention and disposal authorities issued by the Public Record Office Victoria) may also influence your assessment or grouping of the information asset, as well as informing retention timeframes and application of security measures across the information lifecycle.

31V1.1



Accessibility

• How can the information be accessed?

• What technologies, configurations and management processes are in place to access the material?

• Who needs to access certain pieces of information (i.e. ‘Need to know’ principle, or perhaps personnel security checks are required for access to this information)?

If everything within the asset is security classified, only those with the right security clearance are authorised to access or use that material. Alternatively, if only some component records are security classified then how is access to these records restricted without restricting access to the rest of the record?

These requirements cover not only the security issues around people gaining access to information, but also the opportunities for sharing information internally, interoperability and sharing more widely.

Discoverability

• How will an organisation enable people to find the information in the way they need it?

The granularity and depth of the search required will depend on the type of asset; it may involve finding the asset itself, searching within the asset for files, or searching within those files to find specific pieces of data. This is both about the technology actually used to search for information and also the technology that is used to store the information.

Business context Consider the business context and environment in which the organisation operates. This may drive the way in which the information assets are defined and the subsequent implementation of security measures to protect this material.

The nature, size and functions of an organisation will also influence the types of information assets it has.

Legal or regulatory obligations

Consider any legal or regulatory obligations that the organisation has, as these existing requirements may inform how the organisation records information elements or structures particular information sets.

An example of this may include existing obligations under the DTF DataVic Access Policy13. Under this policy, your organisation may already be capturing metadata elements that can help you categorise and define additional information assets.

13

13 Organisations publishing datasets on the DataVic portal should consider the ‘Dataset Publishing manual’ on the DTF website.

(Footnotes)

1 N.B. ‘Department’ and ‘Public body’ are defined in the Financial Management Act (1994). Public bodies include State business corporations and statutory authorities.

2 Victorian Auditor General’s Office (VAGO) - Access to Public Sector Information Report (December, 2015)

3 See Chapter Two of this Information Security Guide for steps on how to assess the value information.

4 See Chapter 2 of this Information Security Guide for steps on how to assess the value information.

5 Organisations publishing datasets on the DataVic portal should consider the ‘Dataset Publishing manual’ on the DTF website.

6 Security classifications are a form of protective marking as outlined in Chapter 3 of this Information Security Guide. Security classifications are used to identify information that has heightened confidentiality requirements. Business classifications on the other hand are designed to support the records management needs of an organisation and act as a means of arranging records in a logical structure and sequence, facilitating their subsequent use and reference (PROS 11/09: Control Standard – 2.2 Classification).

http://www.dtf.vic.gov.au/Publications/Victoria-Economy-publications/IP-and-DataVic/DataVic-Access-Policy-Dataset-Publishing-Manual

32 V1.1



Business classification (records management)

Check if any of the records have a registered business classification, as this can act as a useful basis to understand various information elements (i.e. information linkages, grouping, naming, vital records, user permissions, retrieval, disposition and identification of vital records).

If a record has been registered under a business classification, consider the assessment process and any information that accompanies this record. Business classification schemes assist with identifying the scope, types, use and functions of an organisation’s information assets and can direct accessibility and re-usability of the material. Common business classification categories can include:

• Committees

• Employee relations

• Government relations

• Information management

• Legal services

• Operations management

• Policies and procedures

• Procurement

• Risk management

• Property management

• Strategic management

• Technology and telecommunications

• Work Health and Safety.

N.B. Business classifications are different to security classifications14

Externally sourced information

Organisations should take into account any externally sourced or generated information, as it may also be considered an information asset of the business depending on:

• the functions, processes or activities that this material is supporting and

• what other information this material is combined with

• terms of the agreement or arrangement under which the material is supplied (i.e. does your organisation maintain ownership and IP over the information or is your organisation permitted to use this material under a copyright agreement).

14

14 Security classifications are a form of protective marking as outlined in Chapter 3 of this Collection. Security classifications are used to identify information that has heightened confidentiality requirements. Business classifications on the other hand are designed to support the records management needs of an organisation and act as a means of arranging records in a logical structure and sequence, facilitating their subsequent use and reference (PROS 11/09: Control Standard – 2.2 Classification).

33V1.1


Chapter 1 – Appendix D – Suggested Information Management roles and responsibilities

The following list sets out some of the more commonly recognised IM roles and associated responsibilities. Not all organisations will have these particular roles, or even describe these functions in the same way, with some smaller organisations perhaps having a single person performing a few functions. It is expected that organisations define their respective roles and responsibilities based on relevant legislative and / or regulatory obligations.

Information owner

An information owner is the person or entity that has legal possession of the information asset, and are ultimately accountable for that information. For some organisations this may be the agency or body for which the information asset was produced or acquired, and in turn the public sector body head who retains ownership of the organisations overall information assets. For other organisations, ownership may be defined in particular legislative instruments.

In some organisations, it may be appropriate for the information owner to delegate the management and handling of responsibilities associated with the information asset to an information steward and / or an information custodian.

Information steward

In some organisations this may be where an information owner has delegated responsibility for the information asset to an information steward. This person or role is responsible for making sure the asset is meeting its requirements, and that risks and opportunities associated with the information are monitored and managed. The steward, in this instance, has operational accountability for the information.

The information steward need not be the creator (originator) of the information, or even the primary user of the asset, but they must have a good understanding of what the business needs from the information asset, and how the information can help fulfill those requirements.

The information steward is often a subject matter expert, or ‘owner’ of the relevant business process, for a particular information collection or asset.

The role (or delegate role) should be involved in any risk assessments and analysis of the information to help assess its value15. Only once this assessment has been made, can the relevant security measures be considered to protect the information asset.

Information custodian

An information custodian is generally described as either a designated person, position, officer, business unit or agency with assigned responsibilities for the information asset to ensure that the information is managed appropriately over its lifecycle, in accordance with rules set by the information owner or steward and the quality of information is assured.

Information users / administrators

Any person who generates or receives official information. This can include staff or external parties who have access to the information.

15 See Chapter 2 of this Collection for steps on how to assess the value of information

34 V1.1


Chapter 2 – Understanding Information Value

12. PurposeEveryone who works with official information has an obligation to respect the information that they create, access and use, and are personally accountable for safeguarding this material. In order to do this, all persons need to have an understanding of the value16 of official information, and the security measures designed to protect the confidentiality, integrity and availability of official information.

Valuing official information is the fundamental starting point for the development of a positive security culture in the Victorian public sector. Proper valuation of official information means that the right security precautions can be taken to protect it.

This chapter aims to assist organisations undertaking these activities by:

• providing guidance about assessing official information using a consistent impact assessment tool (taking the form of Business Impact Levels – BILs)

• determining the overall value of official information

• identifying the appropriate protective marking

• understanding if additional security measures are required to protect official information (beyond those informed by the protective marking)

• contextualising the VPDSF BILs in line with the organisation’s specific operating requirements

13. Assessing the Value of Information

13.1 Who performs an information assessment?

When official information is created, the originator of this material is required to assess potential business impacts if the information was compromised.

The originator is the person, or organisation, responsible for preparing / creating official information or for actioning information generated outside the public sector (i.e. private industry).

This person, or organisation, is also responsible for deciding whether, and at what level, to value information, by completing the information assessment process.

13.2 Assessing the value of information

The information value assessment process involves three core stages:

1. Review content

2. Consider potential impacts if the information was compromised

3. Understand the overall value of the information, in order to apply the appropriate security measures

A visual representation of the full information assessment process is in Chapter 2 – Appendix A.

16 Under the VPDSF, the security value of the material refers to the overall business impact of the information. Information value is based on a holistic assessment of compromise to the confidentiality, integrity and / or availability of official information. The overall value of the information, informs the security measures needed to fully protect it.

35V1.1


13.3 What information should be assessed?

An information value assessment should only be performed on official information17.

If the material is deemed ‘unofficial’18, you do not need to perform a value assessment or apply a protective marking.

In Chapter 1 of this Collection, your organisation was asked to identify and register its information assets19. Information assets may be comprised of multiple pieces of information, such as a collection of documents and spreadsheets, relating to a specific subject.

In order to determine the value of a particular document or spreadsheet, each item that makes up an information asset needs to be independently assessed and valued.

17 Official information means information (including personal information) obtained, generated, received or held by or for a Victorian public sector organisation for an official purpose or supporting official activities. This includes both hard and soft copy information, regardless of media or format.

18 Unofficial information is any information that has no relation to official activities, such as a personal correspondence. Unofficial information does not need to undergo the assessment process.

19 An information asset is described as a body of information, defined and practically managed so it can be understood, shared, protected and used to its full potential. Information assets support business processes and are stored across a variety of media and formats (i.e. both paper based as well as electronic material). Information assets have a recognisable and manageable value, risk, content and lifecycle. An information asset can be a specific report, a collection of reports, a database, information contained in a database, information about a specific function, subject or process.

36 V1.1


PERFORMING AN INFORMATION VALUE ASSESSMENT

1. Review content Start off by reviewing the information content20.

By understanding the information content, you are able to assess the potential impact if there were a compromise to this material.

An information value assessment is only performed on official information. If the material is deemed ‘unofficial’, you do not need to perform a value assessment or apply a protective marking.

2. Consider potential business impacts

Assess the potential business impacts to your organisation, if there was a compromise to the:

• Confidentiality

• Integrity

• Availability

of the information.

CONFIDENTIALITY INTEGRITY AVAILABILITY

C I AConfidentiality refers to the limiting of access to official information to authorised persons for approved purposes. The confidentiality requirement is determined by assessing the potential consequences of unauthorised disclosure of official information and the level of its sensitivity.

The level of sensitivity:

1. refers to the degree to which, and the extent or duration of, any impacts and related consequences to the confidentiality of the information

2. informs the appropriate label (protective marking(s)21) for the information

20 When we refer to ‘information content’ we are describing the material captured within a document, email, spreadsheet, audio recording, imagery, etc.

21 For more information on protective markings, refer to Chapter 3 of this security Collection

37V1.1




C I AIntegrity refers to the assurance that official information has been created, amended or deleted only by the intended authorised means and is correct and valid.

Availability refers to allowing authorised persons to access official information for authorised purposes at the time they need to do so.

The integrity and availability business impacts are determined by assessing the potential consequences of unauthorised modification or unavailability of the information and the level of its significance.

The level of significance:

1. refers to the degree to which, and the extent or duration of, any impacts and related consequences to the integrity and/or availability of the information

2. identifies the need for additional security measures to further protect the information beyond those established by the protective marking.

3. Understand overall value and apply security measures

The information assessment process delivers two equally important outcomes:

• the identification of the appropriate label (protective marking(s)) for official information, and

• an understanding of the overall value of the information and whether any additional security measures are needed to further protect it. These additional security measures act as layered protection for the information, beyond those established by the protective marking

13.4 Information Value Assessment Considerations

When assessing official information, organisations keep in mind the following:

13.4.1 Legislative requirements governing the information

Some forms of official information are governed by legislation that restricts or prohibits disclosure of its content, imposes certain use and handling requirements or restricts dissemination of the material.22

Organisations should be aware of these obligations when assessing official information in order to determine what Dissemination Limiting Markers (DLMs) are appropriate for the content.

22 For more information on some of the more common legislative requirements governing information and Dissemination Limiting Markers (DLMs), refer to Chapter 3 – Section 24.2 of this collection.

38 V1.1


13.4.2 Inappropriate use of protective markings

Official information should only be protectively marked where there is a clear and justifiable need to do so.

In no case should official information be protectively marked to:

• hide violations of law, inefficiency or administrative error

• prevent embarrassment to an individual, organisation or agency

• restrain competition, or

• prevent or delay the release of information that does not need protection

The presence or absence of a protective marking does not affect a document’s status under Freedom of Information (FOI) Act.

13.4.3 Prevent over-classification

It is important that only information requiring increased protection be labelled with a protective marking.

In particular, security classifications should only be used when potential compromise of the confidentiality of the material warrants increased protection.

Inappropriate over classification can result in:

• access to official information being unnecessarily limited or delayed

• overly onerous administration and procedural overheads, imposing additional costs on the organisation

• protective markings being devalued or ignored by personnel and receiving parties.

13.4.4 Consider the aggregated value of the information

Where multiple pieces of official information are stored together, the overall value of this collective (aggregated) material should be considered. This may include storing multiple records in a single file, or the storage of material in a folder on a shared network drive or USB.

The risks associated with this aggregated information may be higher than any single instance or individual record, and may result in additional security controls being needed to protect the combined information assets.

Organisations should consider the aggregated value of their information when selecting equipment, systems, facilities or services for the protection of this information.

39V1.1


14. Victorian versus Commonwealth schemeDifferent regulatory arrangements exist for the oversight and management of official information across jurisdictions (i.e. State / Territory versus Commonwealth).

Under the VPDSF, Business Impact Levels (BILs) are used to assess official information. This approach is consistent with Commonwealth Protective Security Policy Framework (PSPF) who also employs this method.

By adopting a consistent assessment tool, Victorian public sector organisations are positioned to effectively share information across jurisdictions without having to undergo complex mapping exercises.

Prior to conducting an information assessment, organisations need to first consider which scheme they are to apply. Ask yourself; does this information have the potential to affect national interest23?

A visual representation of this consideration is provided in Figure 2, along with a brief description of the two complementary schemes (VPDSF and PSPF).

Victorian vs. Commonwealth scheme

JUNE 2016

VICTORIAN PROTECTIVE DATA SECURITY FRAMEWORK

NO YES

Refer to the Victorian Protective Data Security Framework (VPDSF)

Does the information have the potential to a�ect national interest?

Refer to the Protective Security Policy Framework (PSPF)

Protective security governance guidelines Business impact levels

Approved November 2014

Amended April 2015

Version 2.1

Figure 2 – Does the information have the potential to affect National Interest?

14.1 Victorian Cabinet Documentation

Unauthorised and/or premature disclosure of Cabinet documentation (including draft documentation) undermines the convention of Cabinet confidentiality. This confidentiality extends to preserving a Minister’s actual or proposed position on Cabinet matters. In order to preserve this convention, it is essential that security measures are applied when handling, transmitting and/or storing this material. Protective markings help signal what level of protection is required for particular types of information.

Under the former WoVG Security Standards, Victorian Cabinet information was labeled as ‘Cabinet-in-Confidence’. This marking is now being retired, and replaced with the new VPDSF protective marking of Sensitive: VIC Cabinet. CPDP recognises that updates to an organisation’s systems and processes to reflect this new marking may take some time, however planning for this transition should already be under way.

The protective marking scheme outlined under the VPDSF was informed by the Australian Government Security Classification System released in November 201424. By adopting this scheme Victorian agencies or bodies can effectively engage in information sharing initiatives with other jurisdictions.

23 Refer to VPDSF Glossary of Protective Data Security Terms for National interest definition

24 Commonwealth Protective Security Policy Framework

40 V1.1


The establishment of Sensitive: VIC Cabinet represents the only departure from the Commonwealth scheme, highlighting the unique operating requirements of the Victorian Cabinet.

Security measures previously afforded to Victorian Cabinet information must continue to be recognised. Minimum controls for the protection of Victorian Cabinet documentation are prescribed in the Victorian Cabinet Handbook25. Some Victorian Cabinet information may also warrant additional Dissemination Limiting Markers (DLMs) or security classifications, depending on the business impact of a compromise to that information26. As with all official information, Cabinet material should be assessed on it’s individual merits. If a security classification is warranted, additional protective measures may be required beyond the minimum controls set out in the Victorian Cabinet handbook.

14.2 VPDSF (State) vs. PSPF (Commonwealth) BILs

State The VPDSF BIL table has been developed to provide a basis for Victorian public sector organisations to assess official information that has the potential to affect State Government operations or interests, entities and persons within Victoria.

The full VPDSF BIL table contained in Chapter 2 – Appendix B, provides organisations standardised impact categories and consequences levels to use to assess official information.

Commonwealth A limited number of Victorian organisations will create, use or receive information that could impact on Australia’s national interest.

Where information is assessed as having the potential to impact national interest, organisations are to adhere to the requirements set out in the PSPF (Protective security governance guidelines – Business Impact Levels) for this material.

The PSPF provides its own BIL table with its own set of definitions, consequences and impact categories. For more information of the PSPF, refer the PSPF website at www.protectivesecurity.gov.au

25 VIC Cabinet Handbook, January 2017

26 Chapter 2 of this Collection

41V1.1


15. Business Impact Levels (BILs)In order to undertake the information assessment process, organisations are to use valuation criteria called Business Impact Levels (BILs) to determine the value of official information.

15.1 What are Business Impact Levels (BILs)?

BILs are quantitative measures of scaled consequences, identifying the potential impact arising from a compromise to the confidentiality, integrity or availability of official information.

A sample representation of the VPDSF BIL table is provided below.

Impact Levels

NEGLIGIBLE LOW–MEDIUM HIGH VERY HIGH EXTREME

BIL 0 impact descriptor listed here





SUB IMPACT CATEGORY

Sub impact category listed here

BIL 0 standardised consequence statement





CONSEQUENCES

0 1 2 3 4

IMPACT CATEGORY Main impact category listed here…

15.2 Why use BILs?

BILs help organisations assess and communicate the consequence(s) of particular information impacts with linked agencies, business partners, external parties and providers.

By assessing official information in a standardised manner, Victorian public sector organisations are able to consider and collaboratively manage information risks and provide a solid foundation for secure information sharing practices.

The ability to share information using commonly understood terms allows for informed negotiation between organisations over the risk controls or mitigations that should be employed.

Throughout the information lifecycle, organisations are to use the impact criteria in the BILs table to assess official information.

15.3 What is the VPDSF BIL table?

The VPDSF BIL table (Chapter 2 – Appendix B) provides:

• five scaled impact levels (starting at zero and scaling through to a maximum of four)

• impact categories (grouped ‘like’ impact types listed down the table)

• consequence statements across each of the levels.

42 V1.1


16. How to read the BIL table

16.1 Impact levels

An impact level refers to the severity of the potential consequences and the degree to which a compromise to the official information is likely to cause harm or render damage. As potential consequences increase in severity, the impact levels rise.

NEGLIGIBLE LOW – MEDIUM HIGH VERY HIGH EXTREME

16.2 Impact categories

In the VPDSF BIL table, consequences bearing ‘like attributes’ are grouped into ‘impact categories’. Examples of impact categories include:

Economy & Finance

Legal & Regulatory

Personal

Public Services

Public Order, Public Safety & Law Enforcement

16.3 Consequences

The VPDSF BIL table presents standardised consequence statements for State Government operations or interests, entities and persons within Victoria.

These consequences include examples of adverse effects or results if official information were compromised or lost.

43V1.1


17. Contextualising the VPDSF BIL table for your organisationVictorian public sector organisations are expected to use the VPDSF BIL table (Chapter 2 – Appendix B) to assess the impacts resulting from a compromise to the confidentiality, integrity and availability of official information.

The VPDSF BIL table does not require adjustment, as pre-defined consequence statements and impact levels provide a standardised model for Victorian public sector organisations to utilise. The fixed nature of these statements is critical to ensuring organisations use consistent valuation criteria when assessing official information, and in turn, communicating its sensitivities27 and significance28 in a standardised manner.

Rather, Victorian organisations are required to consider the standardised consequence statements in the context of their specific operating requirements. This may be based on their functions, size, resources or information assets.

By doing so, the BILs can assist organisations in properly identifying the true impacts and implications to their business, should a compromise to the confidentiality, integrity or availability of official information occur.

External parties with access (direct or indirect) to official information should also refer to the BIL table of the engaging Victorian public sector organisation, to ensure consistency when conducting an information assessment.

Example 1 – Economy and Finance impact category

Impact category of ‘Economy and Finance’ and sub impact category of ‘Organisations operating budget’:

29

V1.0

Info

rmatio

n S

ecurity

Gu

ide

Impact Levels


Compromise of the information could be expected to cause insignificant harm/damage to government operations, organisations and individuals

Compromise of the information could be expected to cause limited harm/damage government operations, organisations and individuals

Compromise of the information could be expected to cause major harm/damage to government operations, organisations and individuals

Compromise of the information could be expected to cause significant harm/damage to government operations, organisations and individuals

Compromise of the information could be expected to cause serious harm/damage to government operations, organisations and individualsSUB IMPACT CATEGORY

Organisation’s operating budget (impact on public finances)

Resulting in insignificant loss of < 1% of organisation’s annual operating budget

Resulting in limited loss of > 1% – 10% of organisation’s annual operating budget

Resulting in major loss of > 10% – 15% of organisation’s annual operating budget

Resulting in significant loss of > 15% – 20% of organisation’s annual operating budget

Resulting in serious loss of ≥ 20% of organisation’s annual operating budget

CONSEQUENCES

Non-public finances None Resulting in limited financial hardship to an individual or business

Resulting in major financial hardship to an individual or business

Resulting in significant financial hardship to an individual or business

Resulting in serious financial hardship to an individual or businessCONSEQUENCES

0 1 2 3 4

IMPACT CATEGORY ECONOMY AND FINANCE

Appendix B – VPDSF Business Impact Level (BIL) Table

The VPDSF BIL table presents standardised financial consequence statements, scaling from ‘insignificant’ through to ‘serious’ loss. Each descriptor is accompanied by a percentage (%), quantifying scaled business impacts for a loss to the organisation’s annual operating budget.

A certain percentage loss will have different implications for different organisations – i.e. losing >1% – 10% of a small organisations annual operating budget would have a very different effect to that of a larger organisation which may be able to absorb the impact better.

In order for an organisation to consider the standardised consequences in the context of their specific operating requirements, they need to first consider their overall operating budget.

27 Refer to VPDSF Glossary of Protective Data Security Terms for sensitivity definition

28 Refer to VPDSF Glossary of Protective Data Security Terms for significance definition

44 V1.1


For example, the operating budget of agency X is $4,000,000. Using the VPDSF BIL table, agency X would interchange the VPDSF BIL percentages with their commensurate financial amount for that impact level, drawn from the organisations annual operating budget.

The below statements have been contextualised, based on agency X’s $4,000,000 annual operating budget:

Resulting in an insignificant loss of less than $40,000 of the organisations annual operating budget

Resulting in a limited loss of $40,000 – $400,000 of the organisations annual operating budget

Resulting in a major loss of $400,000 – $600,0000 of the organisations annual operating budget

Resulting in a significant loss of $600,000 – $800,000 of the organisations annual operating budget

Resulting in a serious loss of more than $800,000 of the organisations annual operating budget

Example 2 – Legal and Regulatory impact category

Impact category of ‘Legal and Regulatory’ and sub impact category of ‘Legal/Compliance’: 30

V1.0

Info

rmatio

n S

ecurity

Gu

ide

Impact Levels


Compromise of the information could be expected to cause insignificant harm/damage to government operations, organisations and individuals

Compromise of the information could be expected to cause limited harm/damage government operations, organisations and individuals

Compromise of the information could be expected to cause major harm/damage to government operations, organisations and individuals

Compromise of the information could be expected to cause significant harm/damage to government operations, organisations and individuals

Compromise of the information could be expected to cause serious harm/damage to government operations, organisations and individualsSUB IMPACT CATEGORY

Legal/compliance (including applicable legislation and agreements or contracts)

E.g. Non-compliance with legislation, commercial confidentiality and legal privilege

No compliance issue or breach

Resulting in limited:

• legal issues

• non-compliance with contracts or agreements

• failure of statutory duty

• breaches

• misconduct investigation managed internally

Resulting in major:

• legal issues



• breaches

• misconduct investigation managed either internally or externally

Resulting in significant:

• legal issues



• breaches


Resulting in serious:

• legal issues



• breaches


CONSEQUENCES

0 1 2 3 4

Appendix B – VPDSF Business Impact Level (BIL) Table

IMPACT CATEGORY LEGAL AND REGULATORY

45V1.1


The VPDSF BIL table presents standardised legal and regulatory consequence statements, scaling from ‘insignificant’ through to ‘serious’.

Under the Legal/Compliance sub impact category, the consequence statements represent standardised legal or compliance business impacts that may result from a compromise to the confidentiality, integrity and availability of official information. These consequences could include non-compliance with legislation, commercial confidentiality and legal professional privilege.

The complex legal and regulatory landscape in which Victorian organisations operate, mean they are required to observe a range of compliance requirements. These requirements will differ from organisation to organisation (e.g. ‘small and simple’ to ‘large and complex’), and are significantly influenced by the requirements of the legislation they administer.

In order for an organisation to understand how to apply the standardised consequences from the VPDSF BIL table, they first need to consider the legal and regulatory environment in which they operate.

For example, compliance obligations for a single entity may include:

• Public Administration Act (2004)

• Public Records Act (1973)

• Financial Management Act (1994)

• Privacy and Data Protection Act (2014)

• Freedom of Information Act (1982)

• Local operating agreements, arrangements or contracts

Understanding these obligations, help an organisation to contextualise the consequence statements and define ‘insignificant, limited, major, significant and serious’ impacts in relation to their own operating environment.

46 V1.1


18. Working examplesThe following section sets out two working examples where organisations conduct an information assessment using the VPDSF BIL table to determine the overall value of official information.

These are only sample representations of how to conduct an information assessment.

Organisations should consider the legislative and regulatory environment in which they operate as this may also influence the assessment of any official information, and subsequent application of security measures needed to protect this material.

EXAMPLE 1 – COMMISSIONER FOR PRIVACY AND DATA PROTECTION (CPDP)

The Commissioner for Privacy and Data Protection (CPDP) conducts a security review on a potential breach of official information from a government agency.

The team create a file note summarising the breach and need to determine:

1. If the information requires a protective marking, and

2. Whether any additional security measures are required to further protect this information, beyond those established by the protective marking.

Information assessment process


C I AThe team conducts an initial assessment to consider what are the potential impacts if the confidentiality of the information was compromised. This assessment will help determine the relevant impact level for this stage.

After assessing each of the consequence statements in the BIL table, multiple outcomes are identified.

These outcomes determined that the information must remain confidential as unauthorised access could be expected to cause major harm/damage to government operations, organisations and individuals).

Potential consequences included major:

• legal and compliance implications (non-compliance with secrecy provisions in legislation)

• harm to an individuals safety or liberty resulting in compromise of person

• reputational damage, including generating broad public concern, mainstream media reports and negative publicity

• damage to crime fighting including impeding the investigation of an indictable offence

47V1.1


EXAMPLE 1 – COMMISSIONER FOR PRIVACY AND DATA PROTECTION (CPDP)

Confidentiality result: Using this example, a compromise to the confidentiality of the official information was assessed as a business impact level (BIL) of 2.

Confidentiality consequences at this level, correspond with a security classification of ‘PROTECTED’. Depending on the content, the information may also require Dissemination Limiting Markers (DLMs)29.


C I AThe team then conducts a secondary, layered assessment of the same information to consider what potential impacts could occur if the integrity or availability of the material was compromised. This secondary assessment will help determine the relevant impact level for this stage.

After assessing each of the consequence statements in the BIL table, limited outcomes were identified. These outcomes were based on the need for the team to readily access accurate information.

Potential consequences included limited:

• damage to an organisation’s assets

• degradation or cessation of non-critical (non-essential or important) business operations, systems or services, to an extent that while the organisation can perform its primary functions, the efficiency and effectiveness of the functions is noticeably reduced or impeded.

Integrity and Availability result:

In this example the secondary, layered assessment for integrity and availability identified a business impact level (BIL) of 1.

As this BIL is lower than the level identified under the initial ‘confidentiality’ assessment, additional security measures do not need to be considered in this instance.

Security controls that accompany a security classification of PROTECTED should be employed to secure this official information.

Note: The secondary assessment does not alter the protective marking.

29

29 Refer to Chapter 3 of this security collection for more information on Dissemination Limiting Markers (DLMs) and the legislative basis for particular markings

48 V1.1


EXAMPLE 1 – OVERALL VALUE

In this working example, the overall value of the information was determined to be a BIL of 2.

This is based on the selection of the highest overall BIL from both stages of the assessment (confidentiality, integrity and availability):

• confidentiality assessed at a BIL of 2

• integrity and availability assessed at a BIL of 1

This means that the information requires a security classification of PROTECTED with accompanying information, personnel, ICT and physical security controls being needed to protect the material.

The team also need to be mindful of any legislative obligations surrounding the information, and the application of Dissemination Limiting Markers (DLMs)30 to signify this.

30

EXAMPLE 2 – COUNTRY FIRE AUTHORITY (CFA)

The Country Fire Authority (CFA) regularly publishes important information on their website notifying members of the community about fire warnings, incidents and planned burns.

The CFA team are looking to publish updated material about a fire warning on their website, however prior to doing this they need to determine:

1. If the information requires a protective marking, and

2. Whether any additional security measures are required to further protect this information, beyond those established by the protective marking.

Information assessment process


C I AThe team conduct an initial assessment to consider what are the potential impacts, if the confidentiality of the information was compromised. This assessment will help determine the relevant impact level for this stage.

After assessing each of the consequence statements in the BIL table, limited outcomes were determined.

These potential consequences identified that unauthorised release of the material could be expected to cause insignificant harm/damage to government operations, organisations and individuals resulting in a BIL of 0.

30 Refer to Chapter 3 (Protective Markings) of this document for further information

49V1.1



Additional considerations include:

• authorising environment of the agency, which had approved the content for public release (authorisation)

• the information was initially created/designed for members of the public to consume (purpose), and

• the agency (CFA) need to ensure all persons (public and VPS) have unrestricted access to the information presented on their corporate website (intent)

Confidentiality result: In this example, a compromise to the confidentiality of the official information was assessed as a BIL of 0.

Confidentiality consequences at this level, do not require a security classification. Information assessed at this level is considered ‘Unclassified’ and may be suitable as Public Domain if authorised by the CFA for unlimited public release.


C I AThe team then conduct a secondary, layered assessment to consider what potential impacts could occur if the integrity or availability of the same information was compromised. This assessment will help determine the relevant impact level for this stage.

After assessing each of the consequence statements in the BIL table, multiple outcomes were identified. These outcomes took into account the need for individuals to readily access up-to-date and accurate information from the CFA website.

Potential consequences included major:

• compromise of individuals personal safety and wellbeing if incorrect or out-dated information were provided on the CFA website during an emergency period (integrity concerns)

• unrest or instability across the public sector and/or broader community if people consume altered or falsified information from the CFA website (integrity concerns)

• members of the public unable to access critical fire warnings or incident information from the website during an emergency period, leading to the compromise of individuals personal safety and wellbeing (availability concerns)

• lack of capacity to operate and deliver essential and/or emergency services, etc. (availability concerns)

• reputational damage to the agency (CFA) if the corporate website is unavailable (availability concerns)

50 V1.1



Integrity and Availability result:

In this example the secondary, layered assessment for integrity and availability identified a BIL of 2.

As this BIL is higher than the BIL identified in the initial ‘confidentiality’ assessment, additional security measures need to be considered by the CFA to protect the information on their website. These heightened security measures need to be considered as the controls for UNCLASSIFIED material do not offer suitable security for the heightened integrity and availability needs associated with the information.

Note: The secondary assessment does not alter the protective marking.

EXAMPLE 2 – OVERALL VALUE

In this working example, the overall value of the information was determined to be a BIL of 2. This is based on a selection of the highest overall BIL from an assessment of the confidentiality, integrity and availability of the material:

• confidentiality assessed at a BIL of 0

• integrity and availability assessed at a BIL of 2.

This means that the information does not require a protective marking as it has been assessed as Unclassified.

As the information has no confidentiality restrictions, the publishing team at CFA may seek internal authorisation to publicly release this content (i.e. suitable for the Public Domain) on their corporate website. They would also then work with their security team to input appropriate controls to ensure the continued integrity and availability of this content when published on the website.

This example highlights that a layered assessment is valuable in helping identify where additional security measures (ICT, personnel and physical security controls) may be required to further protect the information. These security measures are beyond those identified by the protective marking of the information.

51V1.1


19. Continuous improvement assessmentOrganisations should consciously consider the lifecycle of official information and the effect that this may have on any initial value assessments. This may be due to changes to:

• the importance of the information

• age of the information

• currency of the information

• amount of information contained in a particular information asset (i.e. if content is added to or removed, the overall value of the information may change)

• aggregation of information (e.g. when data is combined with other data sets)

• information owners and owning organisations (e.g. internal organisational restructures or machinery of government activities)

• information usage (e.g. the purpose for the information collection, methods of use)

• internal or external circumstances that may result in a requirement to upgrade or downgrade the overall value of the information.

52 V1.1



53V1.1


Chapter 2 Appendices – Understanding Information Value31

Chapter 2 – Appendix A – Stages of the information value assessment process

CONFIDENTIALITY

CINTEGRITY

IAVAILABILITY

A

+ =

Review the content

Using the VPDSF BIL table31, assess the potential consequences resulting from a compromise to the confidentiality, integrity and/or availability of the information

Identify the highest consequences from the VPDSF BIL table, selecting the impact levels relating to a compromise of the confidentiality, integrity and availability of the information

If the secondary, layered assessment arrives at a higher impact level than the one identified under the initial confidentiality assessment, additional security measures may need to be applied.

Additional security measures can take the form of ICT, Personnel and/or Physical security controls to further protect the information from a compromise of its integrity and/or availability.

Security Classification | Dissemination Limiting Marker (DLM) | Caveats

Determine if the information requires a protective marking

Confidentiality Integrity & AvailabilityApply security measures based on the overall value of the information

Organisations must also consider if disclosure of this information is limited or prohibited by legislation, or where special handling is required and dissemination of the information needs to be controlled. If so, the relevant DLM will need to be applied.

The secondary assessment (Integrity & Availability) does not adjust the outcome of the initial confidentiality assessment. The protective marking remains the same.

START

STAG

E 1

STA

GE

2ST

AG

E 3


REVIEW THE CONTENT

CONSIDERIMPACTS

COMPROMISE TOCONFIDENTIALITY

COMPROMISE TO INTEGRITY & AVAILABLITY

OVERALLVALUE

NEGLIGIBLE EXTREMEVERY HIGHHIGHLOW – MEDIUM

UNCLASSIFIED(No DLM)

PUBLIC DOMAIN(If authorised for

limited public release)

SECRETCONFIDENTIALPROTECTEDUNCLASSIFIED(Bearing a DLM)

31 Refer to Chapter 2 (Understanding Information Value), Chapter 2 – Appendix B (VPDSF BIL table) of this security collection for more information

54 V1.1


Imp

act

Leve

ls

NE

GLI

GIB

LELO

W–

ME

DIU

MH

IGH

VE

RY

HIG

HE

XT

RE

ME

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld

be

exp

ec

ted

to

c

ause

insi

gn

ifica

nt

har

m/d

amag

e t

o

go

vern

me

nt

op

era

tio

ns,

o

rgan

isat

ion

s an

d

ind

ivid

ual

s

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld

be

exp

ec

ted

to

c

ause

lim

ite

d h

arm

/d

amag

e g

ove

rnm

en

t o

pe

rati

on

s,

org

anis

atio

ns

and

in

div

idu

als

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld b

e

exp

ec

ted

to

cau

se

maj

or

har

m/d

amag

e

to g

ove

rnm

en

t o

pe

rati

on

s,

org

anis

atio

ns

and

in

div

idu

als

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld b

e

exp

ec

ted

to

cau

se

sig

nifi

can

t h

arm

/d

amag

e t

o g

ove

rnm

en

t o

pe

rati

on

s,

org

anis

atio

ns

and

in

div

idu

als

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld b

e

exp

ec

ted

to

cau

se

seri

ou

s h

arm

/dam

age

to

go

vern

me

nt

op

era

tio

ns,

o

rgan

isat

ion

s an

d

ind

ivid

ual

sSU

B IM

PA

CT

CAT

EGO

RY

Org

anis

atio

n’s

o

pe

rati

ng

bu

dg

et

(imp

act

on

pu

blic

fi

nan

ce

s)

Re

sult

ing

in

insi

gn

ifica

nt

loss

of

< 1

% o

f o

rgan

isat

ion

’s

ann

ual

op

era

tin

g

bu

dg

et

Re

sult

ing

in li

mit

ed

lo

ss o

f >

1%

– 1

0%

of

org

anis

atio

n’s

an

nu

al

op

era

tin

g b

ud

ge

t

Re

sult

ing

in m

ajo

r lo

ss o

f >

10

% –

15

% o

f o

rgan

isat

ion

’s a

nn

ual

o

pe

rati

ng

bu

dg

et

Re

sult

ing

in s

ign

ifica

nt

loss

of

> 1

5%

– 2

0%

of

org

anis

atio

n’s

an

nu

al

op

era

tin

g b

ud

ge

t

Re

sult

ing

in s

eri

ou

s lo

ss o

f ≥

20

% o

f o

rgan

isat

ion

’s a

nn

ual

o

pe

rati

ng

bu

dg

et

CO

NSE

QU

EN

CE

S

No

n-p

ub

lic fi

nan

ces

No

ne

Re

sult

ing

in li

mit

ed

fi

nan

cia

l har

dsh

ip

to a

n in

div

idu

al o

r b

usi

ne

ss

Re

sult

ing

in m

ajo

r fi

nan

cia

l har

dsh

ip

to a

n in

div

idu

al o

r b

usi

ne

ss

Re

sult

ing

in s

ign

ifica

nt

fin

anc

ial h

ard

ship

to

an

ind

ivid

ual

or

bu

sin

ess

Re

sult

ing

in s

eri

ou

s fi

nan

cia

l har

dsh

ip

to a

n in

div

idu

al o

r b

usi

ne

ssC

ON

SEQ

UE

NC

ES

01

23

4

IMP

AC

T C

AT

EG

OR

Y

E

CO

NO

MY

AN

D F

INA

NC

E

Ch

apte

r 2

– A

pp

end

ix B

– V

PD

SF

Bu

sin

ess

Imp

act

Lev

el (

BIL

) T

able

55V1.1


Imp

act

Leve

ls

NE

GLI

GIB

LELO

W–

ME

DIU

MH

IGH

VE

RY

HIG

HE

XT

RE

ME

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld

be

exp

ec

ted

to

c

ause

insi

gn

ifica

nt

har

m/d

amag

e t

o

go

vern

me

nt

op

era

tio

ns,

o

rgan

isat

ion

s an

d

ind

ivid

ual

s

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld

be

exp

ec

ted

to

c

ause

lim

ite

d h

arm

/d

amag

e g

ove

rnm

en

t o

pe

rati

on

s,

org

anis

atio

ns

and

in

div

idu

als

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld b

e

exp

ec

ted

to

cau

se

maj

or

har

m/d

amag

e

to g

ove

rnm

en

t o

pe

rati

on

s,

org

anis

atio

ns

and

in

div

idu

als

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld b

e

exp

ec

ted

to

cau

se

sig

nifi

can

t h

arm

/d

amag

e t

o g

ove

rnm

en

t o

pe

rati

on

s,

org

anis

atio

ns

and

in

div

idu

als

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld b

e

exp

ec

ted

to

cau

se

seri

ou

s h

arm

/dam

age

to

go

vern

me

nt

op

era

tio

ns,

o

rgan

isat

ion

s an

d

ind

ivid

ual

sSU

B IM

PA

CT

CAT

EGO

RY

Leg

al/c

om

plia

nce

(in

clu

din

g a

pp

licab

le

leg

isla

tio

n a

nd

ag

ree

me

nts

or

co

ntr

acts

)

E.g

. No

n-c

om

plia

nc

e

wit

h le

gis

lati

on

, c

om

me

rcia

l c

on

fid

en

tial

ity

and

le

gal

pri

vile

ge

No

co

mp

lian

ce

issu

e

or

bre

ach

Re

sult

ing

in li

mit

ed

:

• le

gal

issu

es

• n

on

-co

mp

lian

ce

w

ith

co

ntr

acts

or

agre

em

en

ts

• fa

ilure

of

stat

uto

ry

du

ty

• b

reac

he

s

• m

isc

on

du

ct

inve

stig

atio

n

man

age

d

inte

rnal

ly

Re

sult

ing

in m

ajo

r:

• le

gal

issu

es

• n

on

-co

mp

lian

ce

w

ith

co

ntr

acts

or

agre

em

en

ts

• fa

ilure

of

stat

uto

ry

du

ty

• b

reac

he

s

• m

isc

on

du

ct

inve

stig

atio

n

man

age

d e

ith

er

inte

rnal

ly o

r e

xte

rnal

ly

Re

sult

ing

in

sig

nifi

can

t:

• le

gal

issu

es

• n

on

-co

mp

lian

ce

w

ith

co

ntr

acts

or

agre

em

en

ts

• fa

ilure

of

stat

uto

ry

du

ty

• b

reac

he

s

• m

isc

on

du

ct

inve

stig

atio

n

man

age

d e

ith

er

inte

rnal

ly o

r e

xte

rnal

ly

Re

sult

ing

in s

eri

ou

s:

• le

gal

issu

es

• n

on

-co

mp

lian

ce

w

ith

co

ntr

acts

or

agre

em

en

ts

• fa

ilure

of

stat

uto

ry

du

ty

• b

reac

he

s

• m

isc

on

du

ct

inve

stig

atio

n

man

age

d e

ith

er

inte

rnal

ly o

r e

xte

rnal

lyC

ON

SEQ

UE

NC

ES

01

23

4

IMP

AC

T C

AT

EG

OR

Y

LE

GA

L A

ND

RE

GU

LAT

OR

Y

Ch

apte

r 2

– A

pp

end

ix B

– V

PD

SF

Bu

sin

ess

Imp

act

Lev

el (

BIL

) T

able

56 V1.1


Imp

act

Leve

ls

NE

GLI

GIB

LELO

W–

ME

DIU

MH

IGH

VE

RY

HIG

HE

XT

RE

ME

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld

be

exp

ec

ted

to

c

ause

insi

gn

ifica

nt

har

m/d

amag

e t

o

go

vern

me

nt

op

era

tio

ns,

o

rgan

isat

ion

s an

d

ind

ivid

ual

s

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld

be

exp

ec

ted

to

c

ause

lim

ite

d h

arm

/d

amag

e g

ove

rnm

en

t o

pe

rati

on

s,

org

anis

atio

ns

and

in

div

idu

als

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld b

e

exp

ec

ted

to

cau

se

maj

or

har

m/d

amag

e

to g

ove

rnm

en

t o

pe

rati

on

s,

org

anis

atio

ns

and

in

div

idu

als

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld b

e

exp

ec

ted

to

cau

se

sig

nifi

can

t h

arm

/d

amag

e t

o g

ove

rnm

en

t o

pe

rati

on

s,

org

anis

atio

ns

and

in

div

idu

als

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld b

e

exp

ec

ted

to

cau

se

seri

ou

s h

arm

/dam

age

to

go

vern

me

nt

op

era

tio

ns,

o

rgan

isat

ion

s an

d

ind

ivid

ual

sSU

B IM

PA

CT

CAT

EGO

RY

Inju

ry

(imp

act

on

pe

rso

nal

sa

fety

, dis

tre

ss,

em

bar

rass

me

nt,

id

en

tity

, etc

.)

Re

sult

ing

in

insi

gn

ifica

nt

har

m t

o

ind

ivid

ual

’s s

afe

ty o

r lib

ert

y

Re

sult

ing

in li

mit

ed

h

arm

to

ind

ivid

ual

’s

safe

ty o

r lib

ert

y in

volv

ing

:

• c

om

pro

mis

e o

f p

ers

on

• d

istr

ess

/e

mb

arra

ssm

en

t

• in

jury

(n

on

life

th

reat

en

ing

)

Re

sult

ing

in m

ajo

r h

arm

to

ind

ivid

ual

’s

safe

ty o

r lib

ert

y in

volv

ing

:

• c

om

pro

mis

e o

f p

ers

on

• d

istr

ess

/e

mb

arra

ssm

en

t o

f h

igh

pro

file

pe

rso

n

• ir

reve

rsib

le o

r lif

e

thre

ate

nin

g in

jury

• d

ire

ct

thre

at t

o

life

/lo

ss o

f lif

e/

fata

lity

Re

sult

ing

in s

ign

ifica

nt

har

m t

o in

div

idu

al’s

sa

fety

or

libe

rty

invo

lvin

g:

• a

hig

h p

rofi

le

ind

ivid

ual

(s),

or

Re

sult

ing

in s

ign

ifica

nt

har

m –

loss

of

life

/fa

talit

y in

volv

ing

:

• m

ass

gat

he

rin

gs

of

ind

ivid

ual

s

‘Mas

s g

ath

eri

ng

s’ –

i.e

.

maj

or

eve

nts

, re

ligio

us

co

ng

reg

atio

ns/

asse

mb

lies,

foru

ms,

se

min

ars

‘Hig

h p

rofi

le’ –

i.e

. VIP

s,

un

de

rco

ver

ide

nti

tie

s,

Min

iste

rs e

tc.

Re

sult

ing

in s

eri

ou

s h

arm

– lo

ss o

f lif

e/

fata

lity:

• o

f a

hig

h p

rofi

le

ind

ivid

ual

en

gag

ed

in

cri

tic

al a

cti

viti

es

affe

cti

ng

th

e

op

era

tio

n o

f V

icto

ria

• w

ide

spre

ad lo

ss o

f lif

e w

ith

in V

icto

ria

‘Hig

h p

rofi

le’ –

i.e

. V

IPs,

un

de

rco

ver

ide

nti

tie

s, M

inis

ters

e

tc.

CO

NSE

QU

EN

CE

S

01

23

4

Ch

apte

r 2

– A

pp

end

ix B

– V

PD

SF

Bu

sin

ess

Imp

act

Lev

el (

BIL

) T

able

IMP

AC

T C

AT

EG

OR

Y

P

ER

SON

AL

57V1.1


Imp

act

Leve

ls

NE

GLI

GIB

LELO

W–

ME

DIU

MH

IGH

VE

RY

HIG

HE

XT

RE

ME

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld

be

exp

ec

ted

to

c

ause

insi

gn

ifica

nt

har

m/d

amag

e t

o

go

vern

me

nt

op

era

tio

ns,

o

rgan

isat

ion

s an

d

ind

ivid

ual

s

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld

be

exp

ec

ted

to

c

ause

lim

ite

d h

arm

/d

amag

e g

ove

rnm

en

t o

pe

rati

on

s,

org

anis

atio

ns

and

in

div

idu

als

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld b

e

exp

ec

ted

to

cau

se

maj

or

har

m/d

amag

e

to g

ove

rnm

en

t o

pe

rati

on

s,

org

anis

atio

ns

and

in

div

idu

als

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld b

e

exp

ec

ted

to

cau

se

sig

nifi

can

t h

arm

/d

amag

e t

o g

ove

rnm

en

t o

pe

rati

on

s,

org

anis

atio

ns

and

in

div

idu

als

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld b

e

exp

ec

ted

to

cau

se

seri

ou

s h

arm

/dam

age

to

go

vern

me

nt

op

era

tio

ns,

o

rgan

isat

ion

s an

d

ind

ivid

ual

sSU

B IM

PA

CT

CAT

EGO

RY

Re

pu

tati

on

, co

nfi

de

nce

an

d

uti

lisat

ion

of

serv

ice

s (im

pac

t o

n p

arty

’s

stan

din

g o

r re

pu

tati

on

in

clu

din

g c

on

fid

en

ce

in

go

vern

me

nt)

Re

sult

ing

in

insi

gn

ifica

nt:

• (n

o)

pu

blic

c

on

ce

rn

• at

ten

tio

n f

rom

a

stak

eh

old

er

wit

h

no

pu

blic

ity

• ro

uti

ne

inte

rnal

re

po

rtin

g

Re

sult

ing

in li

mit

ed

:

• d

issa

tisf

acti

on

fr

om

pu

blic

• re

pu

tati

on

al

dam

age

• e

mb

arra

ssm

en

t

• lo

ss o

f c

on

fid

en

ce

in

inte

rnal

b

usi

ne

ss u

nit

/g

rou

p

• lo

cal

ise

d m

ed

ia

inte

rest

/ne

gat

ive

p

ub

licit

y

• sp

ec

ific

inte

rnal

re

po

rtin

g

• st

aff/e

xec

uti

ve

susp

en

sio

ns

Re

sult

ing

in m

ajo

r:

• b

road

pu

blic

c

on

ce

rn

• re

pu

tati

on

al

dam

age

• lo

ss o

f p

ub

lic

co

nfi

de

nc

e

and

tru

st in

o

rgan

isat

ion

• e

xte

rnal

inq

uir

y e

.g. i

nq

ue

st,

Par

liam

en

tary

in

qu

iry

or

Ro

yal

Co

mm

issi

on

• m

ain

stre

am m

ed

ia

rep

ort

s/n

eg

ativ

e

pu

blic

ity

• in

terv

en

tio

n o

f C

EO

/Se

cre

tary

Re

sult

ing

in

sig

nifi

can

t:

• b

road

pu

blic

c

on

ce

rn

• re

pu

tati

on

al

dam

age

• lo

ss o

f p

ub

lic

co

nfi

de

nc

e

and

tru

st in

o

rgan

isat

ion

• e

xte

rnal

inq

uir

y e

.g. i

nq

ue

st,

Par

liam

en

tary

In

qu

iry

or

Ro

yal

Co

mm

issi

on

• m

ain

stre

am m

ed

ia

rep

ort

s/n

eg

ativ

e

pu

blic

ity

Re

sult

ing

in s

eri

ou

s:

• b

road

pu

blic

c

on

ce

rn

• re

pu

tati

on

al

dam

age

• lo

ss o

f p

ub

lic

co

nfi

de

nc

e

and

tru

st in

o

rgan

isat

ion

• e

xte

rnal

inq

uir

y e

.g. i

nq

ue

st,

Par

liam

en

tary

In

qu

iry

or

Ro

yal

Co

mm

issi

on

• m

ain

stre

am m

ed

ia

rep

ort

s/n

eg

ativ

e

pu

blic

ity

• in

terv

en

tio

n o

f C

EO

/Se

cre

tary

C

ON

SEQ

UE

NC

ES

01

23

4

Ch

apte

r 2

– A

pp

end

ix B

– V

PD

SF

Bu

sin

ess

Imp

act

Lev

el (

BIL

) T

able

IMP

AC

T C

AT

EG

OR

Y

P

UB

LIC

SE

RV

ICE

S

58 V1.1


Imp

act

Leve

ls

NE

GLI

GIB

LELO

W–

ME

DIU

MH

IGH

VE

RY

HIG

HE

XT

RE

ME

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld

be

exp

ec

ted

to

c

ause

insi

gn

ifica

nt

har

m/d

amag

e t

o

go

vern

me

nt

op

era

tio

ns,

o

rgan

isat

ion

s an

d

ind

ivid

ual

s

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld

be

exp

ec

ted

to

c

ause

lim

ite

d h

arm

/d

amag

e g

ove

rnm

en

t o

pe

rati

on

s,

org

anis

atio

ns

and

in

div

idu

als

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld b

e

exp

ec

ted

to

cau

se

maj

or

har

m/d

amag

e

to g

ove

rnm

en

t o

pe

rati

on

s,

org

anis

atio

ns

and

in

div

idu

als

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld b

e

exp

ec

ted

to

cau

se

sig

nifi

can

t h

arm

/d

amag

e t

o g

ove

rnm

en

t o

pe

rati

on

s,

org

anis

atio

ns

and

in

div

idu

als

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld b

e

exp

ec

ted

to

cau

se

seri

ou

s h

arm

/dam

age

to

go

vern

me

nt

op

era

tio

ns,

o

rgan

isat

ion

s an

d

ind

ivid

ual

sSU

B IM

PA

CT

CAT

EGO

RY

Re

pu

tati

on

, co

nfi

de

nce

an

d

uti

lisat

ion

of

serv

ice

s c

on

tin

ue

s…

• n

ew

inte

rnal

o

vers

igh

t m

eas

ure

s

• p

ers

iste

nt

qu

est

ion

s in

P

arlia

me

nt

• st

aff/e

xec

uti

ve

term

inat

ion

s

• p

olit

ical

re

sig

nat

ion

s

• n

ew

ext

ern

al

ove

rsig

ht

me

asu

res

• in

terv

en

tio

n o

f C

EO

/Se

cre

tary

• p

ers

iste

nt

qu

est

ion

s in

P

arlia

me

nt

• st

aff/e

xec

uti

ve

term

inat

ion

s

• p

olit

ical

re

sig

nat

ion

s

• n

ew

ext

ern

al

ove

rsig

ht

me

asu

res

• p

ers

iste

nt

qu

est

ion

s in

P

arlia

me

nt

• st

aff/e

xec

uti

ve

term

inat

ion

s

• p

olit

ical

re

sig

nat

ion

s

• n

ew

ext

ern

al

ove

rsig

ht

me

asu

res

CO

NSE

QU

EN

CE

S

Imp

act

on

co

mp

anie

s o

pe

rati

ng

in V

icto

ria

No

ne

Re

sult

ing

in li

mit

ed

d

amag

e t

o t

he

fi

nan

cia

l via

bili

ty o

f,

or

dis

adva

nta

gin

g, a

V

icto

rian

op

era

ted

c

om

pan

y

Re

sult

ing

in m

ajo

r d

amag

e t

o t

he

fi

nan

cia

l via

bili

ty o

f,

or

dis

adva

nta

gin

g,

Vic

tori

an o

pe

rate

d

co

mp

any(

ies)

Re

sult

ing

in s

ign

ifica

nt

dam

age

to

th

e

fin

anc

ial v

iab

ility

of,

o

r d

isad

van

tag

ing

, V

icto

rian

op

era

ted

c

om

pan

y(ie

s)

Re

sult

ing

in s

eri

ou

s d

amag

e t

o t

he

fi

nan

cia

l via

bili

ty o

f,

or

dis

adva

nta

gin

g,

Vic

tori

an o

pe

rate

d

co

mp

any(

ies)

CO

NSE

QU

EN

CE

S

01

23

4

Ch

apte

r 2

– A

pp

end

ix B

– V

PD

SF

Bu

sin

ess

Imp

act

Lev

el (

BIL

) T

able

IMP

AC

T C

AT

EG

OR

Y

P

UB

LIC

SE

RV

ICE

S (C

ON

TIN

UE

D…

)

59V1.1


Imp

act

Leve

ls

NE

GLI

GIB

LELO

W–

ME

DIU

MH

IGH

VE

RY

HIG

HE

XT

RE

ME

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld

be

exp

ec

ted

to

c

ause

insi

gn

ifica

nt

har

m/d

amag

e t

o

go

vern

me

nt

op

era

tio

ns,

o

rgan

isat

ion

s an

d

ind

ivid

ual

s

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld

be

exp

ec

ted

to

c

ause

lim

ite

d h

arm

/d

amag

e g

ove

rnm

en

t o

pe

rati

on

s,

org

anis

atio

ns

and

in

div

idu

als

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld b

e

exp

ec

ted

to

cau

se

maj

or

har

m/d

amag

e

to g

ove

rnm

en

t o

pe

rati

on

s,

org

anis

atio

ns

and

in

div

idu

als

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld b

e

exp

ec

ted

to

cau

se

sig

nifi

can

t h

arm

/d

amag

e t

o g

ove

rnm

en

t o

pe

rati

on

s,

org

anis

atio

ns

and

in

div

idu

als

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld b

e

exp

ec

ted

to

cau

se

seri

ou

s h

arm

/dam

age

to

go

vern

me

nt

op

era

tio

ns,

o

rgan

isat

ion

s an

d

ind

ivid

ual

sSU

B IM

PA

CT

CAT

EGO

RY

Imp

act

on

an

o

rgan

isat

ion

’s

mat

eri

al o

r p

hys

ical

as

sets

(b

eyo

nd

fi

nan

cia

l im

pac

t)

Re

sult

ing

in

insi

gn

ifica

nt

dam

age

to

an

org

anis

atio

n’s

as

sets

Re

sult

ing

in li

mit

ed

d

amag

e t

o a

n

org

anis

atio

n’s

ass

ets

Re

sult

ing

in m

ajo

r d

amag

e t

o a

n

org

anis

atio

n’s

ass

ets

Re

sult

ing

in s

ign

ifica

nt

dam

age

to

an

o

rgan

isat

ion

’s a

sse

ts

Re

sult

ing

in s

eri

ou

s d

amag

e t

o a

n

org

anis

atio

n’s

ass

ets

CO

NSE

QU

EN

CE

S

Serv

ice

de

live

ry

(imp

act

on

cap

acit

y to

op

era

te, d

eliv

er

serv

ice

s o

r p

rog

ram

s,

cau

se in

co

nve

nie

nc

e

or

inab

ility

to

c

on

sum

e p

ub

lic

serv

ice

)

Re

sult

ing

in n

o o

r in

sig

nifi

can

t th

reat

to

, or

dis

rup

tio

n o

f b

usi

ne

ss o

pe

rati

on

s,

syst

em

s o

r se

rvic

e

de

live

ry

Res

ult

ing

in li

mit

ed

deg

rad

atio

n o

r ce

ssat

ion

of

no

n-

crit

ical

(no

n-e

ssen

tial

o

r im

po

rtan

t) b

usi

nes

s o

per

atio

ns,

sys

tem

s o

r se

rvic

es, t

o a

n

exte

nt

that

wh

ile

the

org

anis

atio

n c

an

per

form

its

pri

mar

y fu

nct

ion

s, t

he

effici

ency

an

d e

ffec

tive

nes

s o

f th

e

fun

ctio

ns

is n

oti

ceab

ly

red

uce

d o

r im

ped

ed

Re

sult

ing

in m

ajo

r d

eg

rad

atio

n o

r c

ess

atio

n o

f c

riti

cal

(e

sse

nti

al o

r im

po

rtan

t) b

usi

ne

ss

op

era

tio

ns,

sys

tem

s o

r se

rvic

es,

to

an

ext

en

t th

at t

he

org

anis

atio

n

can

no

t p

erf

orm

on

e

or

mo

re o

f it

s p

rim

ary

fun

cti

on

s, im

pe

din

g

op

era

tio

ns

Re

sult

ing

in s

ign

ifica

nt

de

gra

dat

ion

or

ce

ssat

ion

of

cri

tic

al (

ess

en

tial

or

imp

ort

ant)

bu

sin

ess

o

pe

rati

on

s, s

yste

ms

or

serv

ice

s, t

o a

n e

xte

nt

that

th

e o

rgan

isat

ion

c

ann

ot

pe

rfo

rm o

ne

o

r m

ore

of

its

pri

mar

y fu

nc

tio

ns,

imp

ed

ing

o

pe

rati

on

s

Re

sult

ing

in s

eri

ou

s d

eg

rad

atio

n o

r c

ess

atio

n o

f c

riti

cal

(e

sse

nti

al o

r im

po

rtan

t) b

usi

ne

ss

op

era

tio

ns,

sys

tem

s o

r se

rvic

es,

to

an

ext

en

t th

at t

he

org

anis

atio

n

can

no

t p

erf

orm

on

e

or

mo

re o

f it

s p

rim

ary

fun

cti

on

s, im

pe

din

g

op

era

tio

ns

CO

NSE

QU

EN

CE

S

01

23

4

Ch

apte

r 2

– A

pp

end

ix B

– V

PD

SF

Bu

sin

ess

Imp

act

Lev

el (

BIL

) T

able

IMP

AC

T C

AT

EG

OR

Y

P

UB

LIC

SE

RV

ICE

S (C

ON

TIN

UE

D…

)

60 V1.1


Imp

act

Leve

ls

NE

GLI

GIB

LELO

W–

ME

DIU

MH

IGH

VE

RY

HIG

HE

XT

RE

ME

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld

be

exp

ec

ted

to

c

ause

insi

gn

ifica

nt

har

m/d

amag

e t

o

go

vern

me

nt

op

era

tio

ns,

o

rgan

isat

ion

s an

d

ind

ivid

ual

s

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld

be

exp

ec

ted

to

c

ause

lim

ite

d h

arm

/d

amag

e g

ove

rnm

en

t o

pe

rati

on

s,

org

anis

atio

ns

and

in

div

idu

als

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld b

e

exp

ec

ted

to

cau

se

maj

or

har

m/d

amag

e

to g

ove

rnm

en

t o

pe

rati

on

s,

org

anis

atio

ns

and

in

div

idu

als

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld b

e

exp

ec

ted

to

cau

se

sig

nifi

can

t h

arm

/d

amag

e t

o g

ove

rnm

en

t o

pe

rati

on

s,

org

anis

atio

ns

and

in

div

idu

als

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld b

e

exp

ec

ted

to

cau

se

seri

ou

s h

arm

/dam

age

to

go

vern

me

nt

op

era

tio

ns,

o

rgan

isat

ion

s an

d

ind

ivid

ual

sSU

B IM

PA

CT

CAT

EGO

RY

Re

lati

on

ship

s w

ith

o

the

r g

ove

rnm

en

ts

(inc

lud

ing

C

om

mo

nw

eal

th,

stat

e o

r te

rrit

ory

, or

inte

rnat

ion

al)

Re

sult

ing

in n

o

dam

age

to

re

lati

on

s b

etw

ee

n t

he

Vic

tori

an

Go

vern

me

nt

and

oth

er

go

vern

me

nts

Re

sult

ing

in li

mit

ed

d

amag

e t

o r

ela

tio

ns

be

twe

en

th

e V

icto

rian

G

ove

rnm

en

t an

d

oth

er

go

vern

me

nts

Re

sult

ing

in m

ajo

r d

amag

e t

o r

ela

tio

ns

be

twe

en

th

e V

icto

rian

G

ove

rnm

en

t an

d

oth

er

go

vern

me

nts

Re

sult

ing

in s

ign

ifica

nt

dam

age

to

re

lati

on

s b

etw

ee

n t

he

Vic

tori

an

Go

vern

me

nt

and

o

the

r g

ove

rnm

en

ts

Re

sult

ing

in s

eri

ou

s d

amag

e t

o r

ela

tio

ns

be

twe

en

th

e V

icto

rian

G

ove

rnm

en

t an

d

oth

er

go

vern

me

nts

CO

NSE

QU

EN

CE

S

Pro

visi

on

of

em

erg

en

cy s

erv

ice

sN

on

eR

esu

ltin

g in

lim

ite

d

dis

rup

tio

n t

o

em

erg

en

cy

serv

ice

ac

tivi

tie

s re

qu

irin

g

rep

rio

riti

sati

on

at

the

lo

cal

leve

ls t

o m

ee

t e

xpe

cte

d le

vels

of

serv

ice

Re

sult

ing

in m

ajo

r d

isru

pti

on

to

e

me

rge

nc

y se

rvic

e

acti

viti

es

req

uir

ing

re

pri

ori

tisa

tio

n a

t th

e

Stat

e le

vel t

o m

ee

t e

xpe

cte

d le

vels

of

serv

ice

Re

sult

ing

in s

ign

ifica

nt

dis

rup

tio

n t

o

em

erg

en

cy

serv

ice

ac

tivi

tie

s re

qu

irin

g

rep

rio

riti

sati

on

at

the

St

ate

or

nat

ion

al le

vels

to

me

et

exp

ec

ted

le

vels

of

serv

ice

Re

sult

ing

in s

eri

ou

s d

isru

pti

on

to

e

me

rge

nc

y se

rvic

e

acti

viti

es

req

uir

ing

re

pri

ori

tisa

tio

n a

t th

e

Stat

e o

r n

atio

nal

leve

ls

to m

ee

t e

xpe

cte

d

leve

ls o

f se

rvic

eC

ON

SEQ

UE

NC

ES

01

23

4

Ch

apte

r 2

– A

pp

end

ix B

– V

PD

SF

Bu

sin

ess

Imp

act

Lev

el (

BIL

) T

able

IMP

AC

T C

AT

EG

OR

Y

P

UB

LIC

SE

RV

ICE

S (C

ON

TIN

UE

D…

)

61V1.1


Imp

act

Leve

ls

NE

GLI

GIB

LELO

W–

ME

DIU

MH

IGH

VE

RY

HIG

HE

XT

RE

ME

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld

be

exp

ec

ted

to

c

ause

insi

gn

ifica

nt

har

m/d

amag

e t

o

go

vern

me

nt

op

era

tio

ns,

o

rgan

isat

ion

s an

d

ind

ivid

ual

s

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld

be

exp

ec

ted

to

c

ause

lim

ite

d h

arm

/d

amag

e g

ove

rnm

en

t o

pe

rati

on

s,

org

anis

atio

ns

and

in

div

idu

als

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld b

e

exp

ec

ted

to

cau

se

maj

or

har

m/d

amag

e

to g

ove

rnm

en

t o

pe

rati

on

s,

org

anis

atio

ns

and

in

div

idu

als

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld b

e

exp

ec

ted

to

cau

se

sig

nifi

can

t h

arm

/d

amag

e t

o g

ove

rnm

en

t o

pe

rati

on

s,

org

anis

atio

ns

and

in

div

idu

als

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld b

e

exp

ec

ted

to

cau

se

seri

ou

s h

arm

/dam

age

to

go

vern

me

nt

op

era

tio

ns,

o

rgan

isat

ion

s an

d

ind

ivid

ual

sSU

B IM

PA

CT

CAT

EGO

RY

Cri

me

fig

hti

ng

Re

sult

ing

in

insi

gn

ifica

nt

dam

age

to

cri

me

fig

hti

ng

Re

sult

ing

in li

mit

ed

d

amag

e t

o c

rim

e

fig

hti

ng

inc

lud

ing

:

• h

ind

eri

ng

th

e

de

tec

tio

n o

f,

• im

pe

din

g t

he

in

vest

igat

ion

, or

• fa

cili

tati

ng

th

e

co

mm

issi

on

of

a su

mm

ary

off

en

ce

Re

sult

ing

in m

ajo

r d

amag

e t

o c

rim

e

fig

hti

ng

inc

lud

ing

:

• h

ind

eri

ng

th

e

de

tec

tio

n o

f,

• im

pe

din

g t

he

in

vest

igat

ion

, or

• fa

cili

tati

ng

th

e

co

mm

issi

on

of

an

ind

icta

ble

off

en

ce

Re

sult

ing

in s

ign

ifica

nt

dam

age

to

cri

me

fi

gh

tin

g in

clu

din

g:

• h

ind

eri

ng

th

e

de

tec

tio

n o

f,

• im

pe

din

g t

he

in

vest

igat

ion

, or

• fa

cili

tati

ng

th

e

co

mm

issi

on

of

a se

rio

us

ind

icta

ble

o

ffe

nc

e

* in

dic

tab

le o

ffe

nc

es

inc

lud

ing

bu

t n

ot

limit

ed

to

‘org

anis

ed

cri

me’

off

en

ce

s

Re

sult

ing

in s

eri

ou

s d

amag

e t

o c

rim

e

fig

hti

ng

inc

lud

ing

:

• h

ind

eri

ng

th

e

de

tec

tio

n o

f,

• im

pe

din

g t

he

in

vest

igat

ion

, or

• fa

cili

tati

ng

th

e

co

mm

issi

on

of

a se

rio

us

ind

icta

ble

o

ffe

nc

e

* in

dic

tab

le o

ffe

nc

es

inc

lud

ing

bu

t n

ot

limit

ed

to

se

rio

us

‘org

anis

ed

cri

me’

off

en

ce

s ac

ross

juri

sdic

tio

ns,

te

rro

rist

acti

viti

es,

etc

.C

ON

SEQ

UE

NC

ES

01

23

4

Ch

apte

r 2

– A

pp

end

ix B

– V

PD

SF

Bu

sin

ess

Imp

act

Lev

el (

BIL

) T

able

IMP

AC

T C

AT

EG

OR

Y

P

UB

LIC

OR

DE

R, P

UB

LIC

SA

FET

Y A

ND

LA

W E

NFO

RC

EM

EN

T

62 V1.1


Imp

act

Leve

ls

NE

GLI

GIB

LELO

W–

ME

DIU

MH

IGH

VE

RY

HIG

HE

XT

RE

ME

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld

be

exp

ec

ted

to

c

ause

insi

gn

ifica

nt

har

m/d

amag

e t

o

go

vern

me

nt

op

era

tio

ns,

o

rgan

isat

ion

s an

d

ind

ivid

ual

s

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld

be

exp

ec

ted

to

c

ause

lim

ite

d h

arm

/d

amag

e g

ove

rnm

en

t o

pe

rati

on

s,

org

anis

atio

ns

and

in

div

idu

als

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld b

e

exp

ec

ted

to

cau

se

maj

or

har

m/d

amag

e

to g

ove

rnm

en

t o

pe

rati

on

s,

org

anis

atio

ns

and

in

div

idu

als

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld b

e

exp

ec

ted

to

cau

se

sig

nifi

can

t h

arm

/d

amag

e t

o g

ove

rnm

en

t o

pe

rati

on

s,

org

anis

atio

ns

and

in

div

idu

als

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld b

e

exp

ec

ted

to

cau

se

seri

ou

s h

arm

/dam

age

to

go

vern

me

nt

op

era

tio

ns,

o

rgan

isat

ion

s an

d

ind

ivid

ual

sSU

B IM

PA

CT

CAT

EGO

RY

Jud

icia

l pro

cee

din

gs

No

ne

Re

sult

ing

in li

mit

ed

d

amag

e t

o ju

dic

ial

pro

ce

ed

ing

s in

clu

din

g:

• im

pai

rme

nt

to

jud

icia

l op

era

tio

ns

ove

rse

ein

g

sum

mar

y o

ffe

nc

es

• c

olla

pse

of

a su

mm

ary

pro

sec

uti

on

• a

co

nvi

cti

on

fo

r a

sum

mar

y o

ffe

nc

e

de

cla

red

‘un

safe

’ o

r re

ferr

ed

fo

r ap

pe

al

* U

nsa

fe c

om

mo

nly

kno

wn

as

a m

isc

arri

age

of

just

ice

Re

sult

ing

in m

ajo

r d

amag

e t

o ju

dic

ial

pro

ce

ed

ing

s in

clu

din

g:

• d

amag

e t

o t

he

St

ate

jud

icia

l sy

ste

m o

vers

ee

ing

in

dic

tab

le

off

en

ce

s

• c

olla

pse

of

an in

dic

tab

le

pro

sec

uti

on

• a

co

nvi

cti

on

fo

r an

in

dic

tab

le o

ffe

nc

e

de

cla

red

‘un

safe

’ o

r re

ferr

ed

fo

r ap

pe

al

* U

nsa

fe c

om

mo

nly

kno

wn

as

a m

isc

arri

age

of

just

ice

Re

sult

ing

in s

ign

ifica

nt

dam

age

to

jud

icia

l p

roc

ee

din

gs

inc

lud

ing

:

• d

amag

e t

o t

he

ju

dic

ial s

yste

m

ove

rse

ein

g

seri

ou

s in

dic

tab

le

off

en

ce

s

• c

olla

pse

of

a se

rio

us

ind

icta

ble

p

rose

cu

tio

n

• a

co

nvi

cti

on

fo

r a

seri

ou

s in

dic

tab

le

off

en

ce

de

cla

red

‘u

nsa

fe’ o

r re

ferr

ed

fo

r ap

pe

al

* U

nsa

fe c

om

mo

nly

kno

wn

as

a m

isc

arri

age

of

just

ice

Re

sult

ing

in s

eri

ou

s d

amag

e t

o ju

dic

ial

pro

ce

ed

ing

s in

clu

din

g:

• d

amag

e t

o t

he

ju

dic

ial s

yste

m

ove

rse

ein

g

seri

ou

s in

dic

tab

le

off

en

ce

s

• c

olla

pse

of

a se

rio

us

ind

icta

ble

p

rose

cu

tio

n

• a

co

nvi

cti

on

fo

r a

seri

ou

s in

dic

tab

le

off

en

ce

de

cla

red

‘u

nsa

fe’

* U

nsa

fe c

om

mo

nly

kno

wn

as

a m

isc

arri

age

of

just

ice

CO

NSE

QU

EN

CE

S

01

23

4

Ch

apte

r 2

– A

pp

end

ix B

– V

PD

SF

Bu

sin

ess

Imp

act

Lev

el (

BIL

) T

able

IMP

AC

T C

AT

EG

OR

Y

P

UB

LIC

OR

DE

R, P

UB

LIC

SA

FET

Y A

ND

LA

W E

NFO

RC

EM

EN

T (

CO

NT

INU

ED

…)

63V1.1


Imp

act

Leve

ls

NE

GLI

GIB

LELO

W–

ME

DIU

MH

IGH

VE

RY

HIG

HE

XT

RE

ME

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld

be

exp

ec

ted

to

c

ause

insi

gn

ifica

nt

har

m/d

amag

e t

o

go

vern

me

nt

op

era

tio

ns,

o

rgan

isat

ion

s an

d

ind

ivid

ual

s

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld

be

exp

ec

ted

to

c

ause

lim

ite

d h

arm

/d

amag

e g

ove

rnm

en

t o

pe

rati

on

s,

org

anis

atio

ns

and

in

div

idu

als

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld b

e

exp

ec

ted

to

cau

se

maj

or

har

m/d

amag

e

to g

ove

rnm

en

t o

pe

rati

on

s,

org

anis

atio

ns

and

in

div

idu

als

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld b

e

exp

ec

ted

to

cau

se

sig

nifi

can

t h

arm

/d

amag

e t

o g

ove

rnm

en

t o

pe

rati

on

s,

org

anis

atio

ns

and

in

div

idu

als

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld b

e

exp

ec

ted

to

cau

se

seri

ou

s h

arm

/dam

age

to

go

vern

me

nt

op

era

tio

ns,

o

rgan

isat

ion

s an

d

ind

ivid

ual

sSU

B IM

PA

CT

CAT

EGO

RY

Pu

blic

un

rest

/ord

er

No

ne

/No

dis

rup

tio

n t

o

co

mm

un

ity

Re

sult

ing

in li

mit

ed

:

• d

amag

e t

o p

ub

lic

ord

er

• d

isru

pti

on

to

c

om

mu

nit

y

Re

sult

ing

in m

ajo

r:

• d

amag

e t

o p

ub

lic

ord

er

• d

isru

pti

on

to

c

om

mu

nit

y

Re

sult

ing

in

sig

nifi

can

t:

• d

amag

e t

o p

ub

lic

ord

er

(e.g

. rio

ts)

• d

isru

pti

on

to

c

om

mu

nit

y

Re

sult

ing

in s

eri

ou

s:

• d

amag

e t

o p

ub

lic

ord

er

(e.g

. rio

ts)

• d

isru

pti

on

to

c

om

mu

nit

y

CO

NSE

QU

EN

CE

S

01

23

4

Ch

apte

r 2

– A

pp

end

ix B

– V

PD

SF

Bu

sin

ess

Imp

act

Lev

el (

BIL

) T

able

IMP

AC

T C

AT

EG

OR

Y

P

UB

LIC

OR

DE

R, P

UB

LIC

SA

FET

Y A

ND

LA

W E

NFO

RC

EM

EN

T (

CO

NT

INU

ED

…)

64 V1.1


Imp

act

Leve

ls

NE

GLI

GIB

LELO

W–

ME

DIU

MH

IGH

VE

RY

HIG

HE

XT

RE

ME

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld

be

exp

ec

ted

to

c

ause

insi

gn

ifica

nt

har

m/d

amag

e t

o

go

vern

me

nt

op

era

tio

ns,

o

rgan

isat

ion

s an

d

ind

ivid

ual

s

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld

be

exp

ec

ted

to

c

ause

lim

ite

d h

arm

/d

amag

e g

ove

rnm

en

t o

pe

rati

on

s,

org

anis

atio

ns

and

in

div

idu

als

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld b

e

exp

ec

ted

to

cau

se

maj

or

har

m/d

amag

e

to g

ove

rnm

en

t o

pe

rati

on

s,

org

anis

atio

ns

and

in

div

idu

als

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld b

e

exp

ec

ted

to

cau

se

sig

nifi

can

t h

arm

/d

amag

e t

o g

ove

rnm

en

t o

pe

rati

on

s,

org

anis

atio

ns

and

in

div

idu

als

Co

mp

rom

ise

of

the

in

form

atio

n c

ou

ld b

e

exp

ec

ted

to

cau

se

seri

ou

s h

arm

/dam

age

to

go

vern

me

nt

op

era

tio

ns,

o

rgan

isat

ion

s an

d

ind

ivid

ual

sSU

B IM

PA

CT

CAT

EGO

RY

Pro

tect

ive

Mar

kin

g

UN

CL

ASS

IFIE

DU

NC

LA

SSIF

IED

b

eari

ng

a D

LMP

RO

TE

CT

ED

CO

NFI

DE

NT

IAL

SEC

RE

T

Info

rmat

ion

ass

ess

ed

at

th

is le

vel,

req

uir

es

auth

ori

sati

on

fo

r u

nlim

ite

d p

ub

lic

rele

ase

an

d

co

nfi

rme

d a

s P

UB

LIC

DO

MA

IN

Dis

sem

inat

ion

Lim

itin

g

Mar

ker

(DLM

) o

pti

on

s at

th

is le

vel i

nc

lud

e:

• Fo

r O

ffic

ial U

se

On

ly

• Se

nsi

tive

(in

clu

din

g

leg

isla

tive

re

fere

nc

e)

• Se

nsi

tive

: P

ers

on

al

• Se

nsi

tive

: Le

gal

• Se

nsi

tive

: V

IC

Cab

ine

t

Dis

sem

inat

ion

Lim

itin

g

Mar

ker

(DLM

) o

pti

on

s at

th

is le

vel i

nc

lud

e:

• Se

nsi

tive

(in

clu

din

g

leg

isla

tive

re

fere

nc

e)

• Se

nsi

tive

: P

ers

on

al

• Se

nsi

tive

: Le

gal

• Se

nsi

tive

: V

IC

Cab

ine

t

Dis

sem

inat

ion

Lim

itin

g

Mar

ker

(DLM

) o

pti

on

s at

th

is le

vel i

nc

lud

e

• Se

nsi

tive

(in

clu

din

g

leg

isla

tive

re

fere

nc

e)

• Se

nsi

tive

: P

ers

on

al

• Se

nsi

tive

: Le

gal

• Se

nsi

tive

: V

IC

Cab

ine

t

Dis

sem

inat

ion

Lim

itin

g

Mar

ker

(DLM

) o

pti

on

s at

th

is le

vel i

nc

lud

e:

• Se

nsi

tive

(in

clu

din

g

leg

isla

tive

re

fere

nc

e)

• Se

nsi

tive

: P

ers

on

al

• Se

nsi

tive

: Le

gal

• Se

nsi

tive

: V

IC

Cab

ine

t

01

23

4

Ch

apte

r 2

– A

pp

end

ix B

– V

PD

SF

Bu

sin

ess

Imp

act

Lev

el (

BIL

) T

able

IMP

AC

T C

AT

EG

OR

Y

P

RO

TE

CT

IVE

MA

RK

ING

65V1.1


Ple

ase

no

te:

• H

arm

re

fers

to

an

imp

act

on

a p

ers

on

wh

ere

as d

amag

e r

efe

rs t

o a

n im

pac

t o

n a

n a

sse

t

• Fo

r im

pac

ts o

f a

‘Nat

ion

al In

tere

st’ r

efe

r to

th

e A

ust

ralia

n G

ove

rnm

en

t B

usi

ne

ss Im

pac

t Le

vels

ou

tlin

ed

in t

he

Co

mm

on

we

alth

PSP

F

• P

rote

cti

ve m

arki

ng

s o

nly

re

late

to

co

nfi

de

nti

alit

y, t

he

re is

no

eq

uiv

ale

nt

set

of

‘pro

tec

tive

mar

kin

gs’

fo

r in

teg

rity

or

avai

lab

ility

, ho

we

ver

the

b

usi

ne

ss im

pac

t le

vel t

able

sh

ou

ld b

e u

sed

to

de

term

ine

th

e im

pac

t to

inte

gri

ty a

nd

ava

ilab

ility

of

info

rmat

ion

to

su

pp

ort

th

e r

eq

uir

ed

co

ntr

ols

to

p

rote

ct

the

info

rmat

ion

.

Ch

apte

r 2

– A

pp

end

ix B

– V

PD

SF

Bu

sin

ess

Imp

act

Lev

el (

BIL

) T

able

66 V1.1


Chapter 2 – Appendix C – BIL Mobile App

As official information is created, the originator of the material is required to assess potential business impacts if the confidentiality, integrity or availability of the information were compromised.

To assist users in performing this assessment, CPDP has created a BIL App. The BIL app is available in both an online web form, and also via a mobile app, downloadable onto your mobile device from the iTunes and Google Play stores.

The impact categories and consequence statements outlined under the VPDSF Business Impact Level (BIL) table are reflected in the app.

Using the App

Individuals who complete an information assessment using the app are provided a summary that identifies:

• what protective marking(s) are to be applied to the official information they have assessed, as well as

• whether additional security measures are needed to protect the integrity and availability of the material (these security measures are beyond those established by the protective marking).

Users who finalise their assessment are also presented with the option of emailing the results to themselves.

This email results option uses the default mail client installed on individuals device and sends users a summary of their recent information assessment.

We recommend this summary be retained as a record of the information assessment.

67V1.1


20. PurposeThis chapter aims to assist Victorian public sector organisations in understanding:

• what information requires a protective marking

• what are protective markings

• the definitions that underpin each protective marking

• the benefits of using protective markings.

21. Introduction

21.1 What information requires a protective marking?

Information falls into two broad informal categories:

OFFICIAL INFORMATION UNOFFICIAL INFORMATION

Official information means any information (including personal information) obtained, generated, received or held by or for a Victorian public sector organisation for an official purpose or supporting official activities.

This includes both hard and soft copy information, regardless of media or format.

Not all official information will require a protective marking, however other security measures may still be required to protect the integrity and availability of this material.

In contrast, unofficial information is any information that has no relation to official activities, such as a personal correspondence.

Unofficial information does not need to undergo an information value assessment. As such, no protective marking is necessary for this type of material and may be identified as ‘unofficial’.

May require a protective marking

Must not be labelled with a protective marking

Chapter 3 – Protective Markings

68 V1.1


21.2 What are the benefits of using protective markings?

Consistent use of protective markings, coupled with the adoption of appropriate security measures, enhances Victorian Government’s ability to conduct business in a secure and effective manner.

Protective markings act as an important visual signal to anyone using or accessing the material, as to the minimum security obligations that accompany that official information.

22. What are protective markings?Protective markings are security labels assigned to official information. They signify the confidentiality requirements of official information, determined via an information assessment using the VPDSF BIL table32.

Protective markings inform the minimum level of protection to be provided throughout the information lifecycle (e.g. during the use, storage, transmission/transfer and disposal).

32 Organisations should refer to Chapter 2 (Understanding Information Value) of this security collection, which provides instructions around the information assessment process, and further guidance on determining what material requires a protective marking.

69V1.1


23. Protective markings scheme (Victoria)

23.1 VPDSF protective markings

Under the VPDSF, the following types of protective markings are recognised:

VPDSF PROTECTIVE MARKINGS

Dissemination Limiting Markers (DLMs)

Security Classifications Caveats

• For Official Use Only

• Sensitive: ‘XXX’ (refer relevant secrecy provisions or specific provisions within enactments)

• Sensitive: Legal

• Sensitive: Personal

• Sensitive: VIC Cabinet

• PROTECTED

• CONFIDENTIAL

• SECRET

• TOP SECRET33

• Eyes Only

• Releasable to

• Special handling

• Accountable material

• Organisation specific caveats

33

23.2 Dissemination Limiting Markers (DLMs)

DLMs are protective markings that indicate to users that access to that material should be limited. DLMs are to be used where:

• disclosure of official information is limited or prohibited by legislation

• special handling of the information is required

• dissemination of the information needs to be controlled.34

Depending on the content, some information may require multiple DLMs. In these instances, organisations should stack each required DLM on the information. Certain DLMs can be used in conjunction with security classifications, depending on the confidentiality requirements of the information. A visual representation of the protective marking relationships is captured in Chapter 3 – Appendix A of this security guide.

Within Victorian Government, the following DLMs are used. Some of these DLMs may vary from those at the Commonwealth level35.

33 The security classification of TOP SECRET is not referenced as an available protective marking for use under the VPDSF. Please refer to the Commonwealth Protective Security Policy Framework (PSPF) for more information.

34 Refer Chapter 3 – Appendix A – Relationship between Protective Markings

35 For more information on the Commonwealth protective marking scheme, refer to the Protective Security Policy Framework (PSPF) at https://www.protectivesecurity.gov.au

70 V1.1


DLM BASIS FOR MARKING

For Official Use Only (FOUO)

To be applied to official information that requires some form of protection, and where no other DLM or security classification is warranted.

Compromise of this information may cause limited harm/damage to government operations, organisations and individuals.

• ‘For Official Use Only’ must not be applied to security classified information.

• ‘For Official Use Only’ is only suitable for use on Unclassified material.

Sensitive ‘XXX’

(‘XXX’ - Refer to relevant secrecy provisions or specific provisions within enactments)

To be applied to official information where secrecy provisions or enactments may apply to the content, or where disclosure of the material may be limited or prohibited under legislation.

Organisations must identify the reason for the ‘Sensitive’ marking (this can be captured in a footer or on the front cover of the information) as well as any additional handling requirements resulting from the marking.

‘Sensitive’ can be used in conjunction with either security classified information or Unclassified material.

Sensitive: Legal To be applied to information that may be subject to legal professional privilege.

‘Sensitive: Legal’ can be used in conjunction with either security classified information or Unclassified material.

Sensitive: Personal

To be applied to information containing sensitive personal content. The basis for this marking under the VPDSF, is drawn from the definition of ‘sensitive information’ under Schedule 1 of the Privacy and Data Protection Act (2015) which states:

Sensitive information means information or an opinion about an individual’s:

a) racial or ethnic origin; or

b) political opinions; or

c) membership of a political association; or

d) religious beliefs or affiliations; or

e) philosophical beliefs; or

f) membership of a professional or trade association; or

g) membership of a trade union; or

h) sexual preferences or practices; or

i) criminal record,

that is also personal information.

‘Sensitive: Personal’ can be used in conjunction with either security classified or unclassified information.

71V1.1


DLM BASIS FOR MARKING

Sensitive: VIC Cabinet

All documents prepared for consideration by Victorian Cabinet, including those in draft are, at a minimum, to be labelled with the DLM of ‘Sensitive: VIC Cabinet’*

This protective marking is to be applied to all Victorian Cabinet information, including but not limited to:

• an official Record of any deliberation or decision of Cabinet;

• a document that has been prepared by a Minister or on their behalf or by an agency for the purpose of submission for consideration by Cabinet;

• a document prepared for the purpose of briefing a Minister in relation to issues to be considered by Cabinet;

• a document that is a draft of, or contains extracts from a document referred to above; or

• a document, the disclosure of which would involve the disclosure of any deliberation or decision of Cabinet, other than a document by which a decision of Cabinet was officially published.36

* All official information must be assessed on its individual merits. Some Victorian

Cabinet information may require additional protective markings, taking the form of

other DLMs or security classifications in conjunction with the minimum labelling of

Sensitive: VIC Cabinet37.

23.2.1 Victorian Cabinet documentation

Information used by Victorian Cabinet to formulate policy and make decisions require special protective security controls. This is because Cabinet material (unlike other official information) belongs to the particular governments that create them. They are integral to the process by which governments make decisions and they constitute the record of those decisions.

A new Victorian specific DLM has now been established to reflect Victorian Cabinet requirements, and distinguish Cabinet material generated at the Commonwealth level. All documents prepared for consideration by Victorian Cabinet, including those in draft are, at a minimum, to be labelled with the DLM of ‘Sensitive: VIC Cabinet’.

Originators should still assess the contents of the document using the VPDSF BIL table to determine the value of the information and whether additional protective markings (including security classifications) are also required to further protect the information.

See the Victorian Government Cabinet Handbook for more information on this material.

36 Victorian Government Cabinet Handbook – January 2017

37 Organisations should refer to Chapter 2 (Understanding Information Value) of this security collection for instructions on how to assess information on its individual merits

72 V1.1


23.3 Security classifications

A security classification identifies heightened confidentiality requirements of the information.

Information marked with a security classification has been through the information assessment process and has achieved a BIL of 2 or above38.

There are three security classifications used within Victorian Government. They are:

CONFIDENTIAL SECRET TOP SECRETPROTECTEDUNCLASSIFIED

(No DLM)UNCLASSIFIED

(Bearing a DLM)

PUBLIC DOMAIN(If authorised for unlimited public

release)

These security classifications reflect the operating requirements of Victorian Government and align with the Commonwealth Protective Security Policy Framework (PSPF) classification scheme.

The security classification of TOP SECRET is not referenced as an available protective marking for use under the VPDSF.

38 Refer to Chapter 2 (Understanding Information Value) of this security collection for more information

73V1.1




(Bearing a DLM)


release)

The security classification of PROTECTED is used when the compromise of the confidentiality of the information could be expected to cause major harm/damage to government operations, organisations and individuals.

Information marked at PROTECTED has been through the information assessment process and has achieved a BIL of 239.



(Bearing a DLM)


release)

The security classification of CONFIDENTIAL is used when compromise of the confidentiality of the information could be expected to cause significant harm/damage to government operations, organisations and individuals.

Information marked at CONFIDENTIAL has been through the information assessment process and has achieved a BIL of 340.



(Bearing a DLM)


release)

The security classification of SECRET is used when the compromise of the confidentiality of the information could be expected to cause serious harm/damage to government operations, organisations and individuals.

Information marked at SECRET has been through the information assessment process and has achieved a BIL of 441.



(Bearing a DLM)


release)

The security classification of TOP SECRET is not referenced as an available protective marking for use under the VPDSF.

TOP SECRET is reserved for matters requiring the highest degree of protection and for information that has the potential to catastrophically impact national interest.

For more information on TOP SECRET material, refer to the Commonwealth Protective Security Policy Framework (PSPF).

39 Refer to Chapter 2 (Understanding Information Value), Chapter 2 – Appendix B (VPDSF BIL table) of this security collection for more information.

40 As above

41 As above




PSPF

74 V1.1


23.4 Unclassified information

Unclassified is not recognised as a protective marking and is not to be applied to security classified information. Under the VPDSF, there are two types of Unclassified information.

• Unclassified with a DLM (U/D), and

• Unclassified material without a DLM (U).

23.4.1 Unclassified (bearing a DLM)



(Bearing a DLM)


release)

• Unclassified /DLM (U/D) is a description given to information of which compromise to the confidentiality of the material would be expected to cause limited harm or damage

• Unclassified material assessed at a BIL of 1 must be used in conjunction with a DLM or caveat.

• Information assessed as this level requires a DLM or caveat to be marked on the information

23.4.2 Unclassified (no DLM)



(Bearing a DLM)


release)

• Unclassified without a DLM (U) is a description given to information of which compromise to the confidentiality of the material would not be expected to cause harm or damage.

• Unclassified information has achieved a BIL of zero (0)42, but has not been approved for unlimited public release.

• Information assessed at this level may be labelled UNCLASSIFIED or left unmarked, in accordance with the organisation’s internal policies and procedures.43

23.5 Public Domain



(Bearing a DLM)


release)

‘Public Domain’ is not a protective marking. It is a term used to describe material has been approved for unlimited public release, in accordance with the authorising environment of the originating organisation.

Information assessed at this level may be labelled PUBLIC DOMAIN or left unmarked, in accordance with the organisation’s internal policies and procedures.

42 As above

43 It is recommended that organisations consider applying UNCLASSIFIED to their material once it has been formally assessed to reduce confusion with information that is yet to be assessed or protectively marked.

75V1.1


23.6 Non-standard markings

Protective markings outside those established under the VPDSF are considered ‘non-standard markings’. These markings are prohibited for use across the Victorian public sector, as the application of these markings undermine information-sharing and introduce unwarranted complexity when determining what security controls are required to protect the material at a particular level. Organisation’s who use non-standard markings must change these markings before distributing or transferring this information externally.

23.7 Caveats

Caveats indicate that official information has special requirements in addition to those identified by a DLM or security classification to further restrict access to the material. Caveats are used in conjunction with the appropriate DLM or security classification and are not stand-alone protective markings.

Caveats cannot be applied to ‘Unclassified’ material.

Access to caveat material is only available to those who are appropriately screened/security cleared and have been briefed about the value of the particular information44.

There are three layers of caveats available:

• Commonwealth level – most commonly found on material relating to information impacting the national interest (national security)45

• Whole of Victoria Government (WoVG) level – authorised caveats only (see table below)

• Organisation specific – internal application and use only.

Some organisations may need to use caveats when disseminating information across Victorian Government. The following caveats have been authorised for use within Victorian Government:

VICTORIAN CAVEATS

BASIS FOR THE CAVEAT

Eyes Only (EO) The ‘Eyes Only’ marking indicates that access to information is restricted to certain:

• Roles (e.g. Ministers),

• Entities (e.g. Independent Broad-based Anti-Corruption Commission), or

• where employees are engaged in sensitive interagency projects (e.g. highly sensitive joint projects between Victoria Police and Corrections Victoria personnel)

Any information marked ‘Eyes Only’ cannot be passed to or access by those who are not listed in the marking.

44 Material marked with a caveat is not subject to any policy exceptions. Prior agreement must be sought from the originator if the caveat of the requires alteration or removal.

45 Refer to the Commonwealth Protective Security Policy Framework (PSPF) for more information on caveats for information impacting the national interest (National Security)

76 V1.1


VICTORIAN CAVEATS

BASIS FOR THE CAVEAT

Releasable to The caveat ‘releasable to’ identifies information that has been released or is releasable to the indicated body or group.

Special handling caveat

A special-handling caveat is a collection of various indicators such as operation codewords, instructions to use particular communications channels and EXCLUSIVE FOR (named person).

Accountable material

If strict control over access to, and movement of, particularly sensitive information is required, originators can make this information ‘Accountable Material’. What constitutes ‘Accountable Material’ will vary from organisation to organisation, but could include budget papers, tender documents and sensitive ministerial briefing documents.

Accountable documents are subject to strict conditions including labelling, individual reference and copy numbers, warnings relating to copy restrictions, transfer, receipting and registration of the material.

23.7.1 Organisation specific caveats

Organisation specific caveats can only be used within the agency or body.

Official information bearing a caveat that has originated at the organisation level must be re-labelled or appropriate procedures agreed before release, transmission or transfer outside the originating agency and body.

77V1.1


24. Protectively marked material from another organisationIt is essential that users understand and respect the protective marking applied by the originator of the information. This includes information generated by:

• Local Council/Shire

• State or Territory agency

• Commonwealth department/agencies

• Foreign Government

• Private industry

If an organisation receives information labelled with an unfamiliar protective marking, they should contact the originator of that material as there may be specific security obligations imposed by that marking.

24.1 Commonwealth information

While the Victorian and Commonwealth protective marking schemes are similar, the Commonwealth PSPF includes additional protective markings available for use by Commonwealth departments/agencies.

It is unlikely that these protective markings will be used by Victorian public sector organisations, however on the rare occasion that this may be required, organisations should refer to the PSPF for further information46.

24.2 State or Territory information

Where another State or Territory has generated information and applies a protective marking, the marking and any accompanying security measures must be respected by the receiving organisation in Victoria.

Chapter 3 – Appendix B of this security guide provides an outline of the most common protective markings employed by each State and Territory.

24.3 Foreign Government information

Where security classified information is provided under a bilateral agreement, foreign government information (FGI) is to be given the equivalent protective marking. FGI cannot be distributed outside the conditions of these agreements. For more information, refer to the FGI instructions under the PSPF47.

46 Examples may include where a Victorian public sector organisation may be dealing with information with the potential to impact the national interest. In these instances, organisations should refer to the requirements set out in the Commonwealth Protective Security Policy Framework (PSPF) – https://www.protectivesecurity.gov.au/

47 As above

78 V1.1


24.4 Private industry

Information produced by a private sector organisation may not bear a protective marking, but it may include a commercial label (e.g. Commercial in Confidence). Users receiving material from private industry should contact the originator of the information to help determine what protective marking may be required and clarify if there are any additional security conditions for the information, once it is transferred into the custody of a Victorian public sector organisation.

Where private industry generates information for a Victorian public sector organisation, they are to refer to the engaging organisation’s protective marking requirements.

25. Legacy classified information Official information that has been protectively marked under a former security classification or protective marking scheme48 is now referred to as ‘legacy’ information or ‘legacy classified information’.

Only official information that is being actively used by a Victorian public sector organisation needs to undergo an updated information assessment. This updated assessment will help organisations reclassify the information under the new protective marking scheme of the VPDSF.

Chapter 2 – Understanding Information Value of this security collection, outlines the information assessment process that organisations are expected to use, to determine the likely impact arising from a compromise to the confidentiality, integrity and availability of official information.

Any information not being actively used or has been archived, does not require a re-assessment under the new protective marking scheme. This information can retain its former security classification or protective marking.

Sample legacy markings may include:

• In-Confidence or X-In-Confidence (including Cabinet-In-Confidence)

• Restricted

• Highly Protected

48 Examples include the Protective Security Manual [PSM], Whole of Victorian Government [WoVG] Security Standards

79V1.1


Chapter 3 Appendices – Protective Markings

Ch

apte

r 3

– A

pp

end

ix A

– R

elat

ion

ship

bet

wee

n p

rote

ctiv

e m

ark

ing

s

Secu

rity

Cla

ssifi

cati

on

s

CO

NFI

DE

NT

IAL

SEC

RE

TT

OP

SE

CR

ET

PR

OT

EC

TE

DU

NC

LASS

IFIE

D(N

o D

LM)

UN

CLA

SS

IFIE

D(B

eari

ng

a D

LM)

PU

BLI

C D

OM

AIN

(If

auth

ori

sed

fo

r u

nlim

ite

d p

ub

lic

rele

ase

)

CO

NFI

DE

NT

IAL

SEC

RE

TT

OP

SE

CR

ET

PR

OT

EC

TE

DU

NC

LASS

IFIE

D(N

o D

LM)

UN

CLA

SS

IFIE

D(B

eari

ng

a D

LM)

PU

BLI

C D

OM

AIN

(If

auth

ori

sed

fo

r u

nlim

ite

d p

ub

lic

rele

ase

)

CO

NFI

DE

NT

IAL

SEC

RE

TT

OP

SE

CR

ET

PR

OT

EC

TE

DU

NC

LASS

IFIE

D(N

o D

LM)

UN

CLA

SS

IFIE

D(B

eari

ng

a D

LM)

PU

BLI

C D

OM

AIN

(If

auth

ori

sed

fo

r u

nlim

ite

d p

ub

lic

rele

ase

)

CO

NFI

DE

NT

IAL

SEC

RE

TT

OP

SE

CR

ET

PR

OT

EC

TE

DU

NC

LASS

IFIE

D(N

o D

LM)

UN

CLA

SS

IFIE

D(B

eari

ng

a D

LM)

PU

BLI

C D

OM

AIN

(If

auth

ori

sed

fo

r u

nlim

ite

d p

ub

lic

rele

ase

)

CO

NFI

DE

NT

IAL

SEC

RE

TT

OP

SE

CR

ET

PR

OT

EC

TE

DU

NC

LASS

IFIE

D(N

o D

LM)

UN

CLA

SS

IFIE

D(B

eari

ng

a D

LM)

PU

BLI

C D

OM

AIN

(If

auth

ori

sed

fo

r u

nlim

ite

d p

ub

lic

rele

ase

)

DLM

For

Offi

cial

Use

On

ly

(FO

UO

)

DLM WITH A LEGISLATIVE BASIS

Sen

siti

ve: P

ers

on

al

Sen

siti

ve: L

eg

al

Sen

siti

ve: V

IC C

abin

et

Sen

siti

ve ‘X

XX

’

(To

be

use

d w

he

re d

iscl

osu

re

is li

mit

ed

or

pro

hib

ite

d u

nd

er

leg

isla

tio

n. R

ep

lace

‘XX

X’ w

ith

re

leva

nt

secr

ecy

pro

visi

on

or

en

actm

en

t.)

CA

VE

ATS

PU

BLI

C D

OM

AIN

(PU

BLI

C D

OM

AIN

on

ly

on

ce

th

e in

form

atio

n is

au

tho

rise

d f

or

un

limit

ed

p

ub

lic r

ele

ase

)

(In

form

atio

n m

ust

be

fi

rst

de

cla

ssifi

ed

)(I

nfo

rmat

ion

mu

st b

e

firs

t d

ec

lass

ifie

d)

(In

form

atio

n m

ust

be

fi

rst

de

cla

ssifi

ed

)(I

nfo

rmat

ion

mu

st b

e

firs

t d

ec

lass

ifie

d)

80 V1.1


Chapter 3 – Appendix B – Common protective markings employed by each State and Territory

JURISDICTIONAL PROTECTIVE MARKINGS REFERENCE TABLE

JURISDICTION CLASSIFICATIONSDISSEMINATION LIMITING MARKERS (DLMS)

OTHER MARKINGS

Commonwealth (Cmth)

TOP SECRET SECRET CONFIDENTIAL PROTECTED

UNCLASSIFIED bearing a DLM of:

Sensitive Sensitive: Legal Sensitive: Personal Sensitive: Cabinet For Official Use Only

UNCLASSIFIED (bearing no DLM)

CAVEATS (Refer to PSPF for a full list of available Caveats)

Victoria (VIC)

SECRET CONFIDENTIAL PROTECTED


Sensitive Sensitive: Legal Sensitive: Personal Sensitive: VIC Cabinet For Official Use Only



Public Domain* (*If approved for unlimited public release)

New South Wales (NSW)



Sensitive Sensitive: Legal Sensitive: Personal Sensitive: NSW Cabinet For Official Use Only

South Australia (SA)



Sensitive Sensitive: Legal Sensitive: Personal Sensitive: SA Cabinet For Official Use Only

PUBLIC

81V1.1


JURISDICTIONAL PROTECTIVE MARKINGS REFERENCE TABLE

JURISDICTION CLASSIFICATIONSDISSEMINATION LIMITING MARKERS (DLMS)

OTHER MARKINGS

Northern Territory (NT)

HIGHLY PROTECTED PROTECTED

In-Confidence

Western Australia (WA)

TOP SECRET SECRET CONFIDENTIAL HIGHLY PROTECTED PROTECTED

Queensland (QLD)

TOP SECRET SECRET CONFIDENTIAL HIGHLY PROTECTED PROTECTED



Australian Capital Territory (ACT)






Tasmania (TAS)

HIGHLY PROTECTED PROTECTED X-In-Confidence


PUBLIC

82 V1.1


Chapter 3 – Appendix C – Ready reckoner: How to select an appropriate protective marking

NO

NO

NO

NO

NO

Continue Assessment

YES

Continue Assessment

Continue Assessment

Continue Assessment

NO YES

NO YES

NO

NO

YES

NO YES

YES

YES

YES

YES

YES

HOW TO SELECT AN APPROPRIATE

PROTECTIVE MARKING

DON’T FORGET!Continually assess the information throughout

its lifecycle to see if the value has changed.

IMPORTANT: Depending on the content, some informationmay require more than one marking

Could compromise of the information have the potential to a�ect national interest?

START

Could compromise of the information reveal Victorian Cabinet deliberations?

THIS INFORMATION MAY REQUIRE A DISSEMINATION LIMITING MARKER

(This may be due a legal requirement, or a requirement tocontrol dissemination or impose a special handling condition)

Refer to the Protective Security Policy Framework (PSPF) for more information –

Visit www.protectivesecurity.gov.au

This information DOES NOT require a protective marking at this time.

The material may be considered UNCLASSIFIED or PUBLIC DOMAIN (if approved for unlimited public release).

Does the information need the highest degree of protection?

(Test: Could compromise of this material cause SERIOUS harm or damage to Victorian state government operations or interests and/or entities or persons within Victoria?)

THIS INFORMATION MAY REQUIRE A SECURITY CLASSIFICATION

(N.B. Some material may require both a DLM and a security classification)

This information is to be security classified

SECRET

Does the information need substantial degree of protection?

(Test: Could compromise of this material cause SIGNIFICANT harm or damage to Victorian state government operations or interests and/or entities or persons within Victoria?)


CONFIDENTIAL

Does the information need some degree of protection?

(Test: Could compromise of this material cause MAJOR harm or damage to Victorian state government operations or interests and/or entities or persons within Victoria?)

This information requires the DLM of ‘SENSITIVE: VIC CABINET’

Could compromise of the information reveal ‘sensitive personal information’ as defined in the Privacy and Data Protection Act 2014?

This information requires the DLM of ‘SENSITIVE: PERSONAL’

Could compromise of the information breach legal professional privilege?

This information requires the DLM of ‘SENSITIVE: LEGAL’

Could compromise of the information be in breach of any other secrecy provisions or enactments?

Could compromise of this material cause LIMITED harm or damage toVictorian state government operations or interests and/or entities or personswithin Victoria?

This information requires the DLM ‘SENSITIVE’ (N.B. Ensure you quote the relevant legislative provision)

This information requires the DLM ‘For O�cial Use Only’ (N.B. This marking cannot be used in conjunction with any other DLM or security classification)

Could compromise of this information cause damage or harm to Victorian state government operations or interests and/or entities or persons within Victorian?


PROTECTED

83V1.1



victorian protective data security framework … · v1.1 3 inoraion seri manageen ceion victorian...

Documents