Determine the Information Asset Value
This follows on from the
VPDSF Setup guide, however this step may be revisited multiple times.
The value of an Information Asset is derived from the potential consequences to the organisation that may result from a compromise of that information.
In OVIC, this is referred to as the
Business Impact Level, or
BIL.
Consequences are typically defined as part of your Risk Framework, where the increasing level of consequences are defined across multiple categories.
Individual Victorian Public Sector (VPS) agencies may have their own Risk Framework that defines consequence levels that do not align 1:1 with the Business Impact Levels.
For example, the most critical consequence for a local Victorian council is unlikely to "cause exceptionally grave damage to the national interest", which is the most critical Business Impact Level.
Where these are not aligned 1:1, we need to map the VPS consequences to the OVIC Business Impact Levels.
Steps
There are 2 steps required to determine the Information Asset value:
- Step 2.1: Define Consequences
- Step 2.2: Define Information Asset Compromise Consequences