Setup Victorian Protective Data Security Framework (VPDSF)

Setup Victorian Protective Data Security Framework (VPDSF)

This guide provides an overview of the on-boarding process for organisations utilising the Victorian Protective Data Security Framework (VPDSF). This assumes a newly initialised tenant of a newly subscribed tenant.

Navigate to Setup

  1. Navigate to Step 1 of the Interactive VPDSF Guide via the navigation menu:
    1. Click Guides in the navigation menu, and then VPDSF.
      The VPDSF Guide menu item

    2. Click 'Identify your information assets' link.
      OVIC's 5 Step Action Plan Entry Points

    3. Click the right most arrow button, or the Step 1.1: Setup VPDSF sub-menu item.
      Interactive Guide Navigation Step Buttons

Step 1.1 Setup VPDSF

The Victorian Protective Data Security Standards (VPDSS), the Business Impact Level (BIL), the default OVIC Risk Framework, the Protective Data Security Plan (PDSP) aligned time horizons need to be imported if they are not already, and the Mitre Att&ck based Threats mapped to the VPDSS controls that can detect and mitigate them.
As soon as this step loads, the current state is checked. As each required item is confirmed, the associated checkbox will either be ticked or not, where a tick indicates that the named data has been loaded. In the first instance, these should all be unticked.
Once all elements have been checked, the 'Import Default VPDSF' button will be enabled, if an import is required.
  1. Click the 'Import Default VPDSF' button
    VPDSF Preparation Setup

  2. Wait. This can take a while.
    VPDSF Preparation Import

  3. Once all the activity indicators have completed and all checkboxes have be ticked, the import is complete.
    VPDSF Preparation Import Complete

  4. Click the right next arrow button, or the Step 1.2: Setup Tenant Profile sub-menu item.

Step 1.2 Setup Tenant Profile

The Tenant Profile represents the details about your organisation.
The name and summary are used by the AI Assistant, if used, to guide the content generation in some circumstances. The Organisation Head, Information Security Lead, sector, employee and IACS details are used to populate the associated sections of the PDSP when it is generated.
There are 3 primary options for setting up the Tenant Profile:
  1. Option 1: Manual Entry
  2. Option 2: Cybersecurity Office Excel
  3. Option 3: Assistant Recommendations

Option 1: Manual Entry

Just type in each field and click the 'Save' button.
Tenant Profile Manual Entry Option

Option 2: Cybersecurity Office Excel

This is only applicable if you have an excel file in the required format pre-populated with the tenant profile information required.
  1. If the Options section is not open, click on it to expand the available Options.
  2. Click on 'Option 2: Cybersecurity Office Excel'
    Tenant Profile Excel Import Option

  3. If you don't already have an excel file in the right format, click the 'here' button to generate one from the current state of your security profile
  4. Update the details on the Tenant worksheet in Excel and save the changes
    When your Security Profile is already populated, all data in the Excel file will be ingested and any matching entities updated.
    To constrain which data is imported, just keep the worksheets with the data required. For example, if you only want to import Tenant Profile data, delete all worksheets except for the Tenant worksheet before uploading.
  5. Click on the 'Import Asset Registry' button, click the 'Choose File' button on the dialog and then click the 'Import' button
    Tenant Profile Excel Import Dialog

  6. When it is complete, the Tenant Profile should be updated to reflect the content of the spreadsheet.

Option 3: Assistant Recommendations

If you don't have an overview of your own organisation handy, you can ask the AI Assistant to summarise your organisation for you.
  1. Enter the name of your organisation into the Tenant Name field
    This is all the AI Assistant uses to come up with the summary. The accuracy of the summary generated is dependent on the name in this field. If the organisation is part of the AI Model's training data, it should be relatively accurate. If not, it will basically make up something that sounds plausible. In all cases when using AI Assistant generated information, it is your responsibility to ensure it is accurate and appropriate.
  2. If the Options section is not open, click on it to expand the available Options
  3. Click on 'Option 3: Assistant Recommendations'
  4. Check the 'Enable Assistant Recommendation' checkbox
    This enables the AI Assistant Banner above the Tenant Profile
  5. Check the 'Allow Tenant Name to be Sent to OpenAI for Analysis' checkbox to enable the 'Generate' button
  6. Click the 'Generate' button
    Tenant Profile AI Assistant Summary Option

  7. Wait. This can take a while.
  8. When the AI Assistant has its suggested summary, it will fill out the summary field for you to review.
  9. Review, revise or replace and click the Save button.
  10. The AI Assistant only provides input on the tenant summary, everything else requires manual input.

Next Steps

  1. Click the right next arrow button, or the Step 1.2: Setup Tenant Profile sub-menu item.
  2. See the Define Platform Teams article for details

    • Related Articles

    • Protective Data Security Plan (PDSP) 2024

      The Protective Data Security Plan (PDSP) Every 2 years, each Victorian Public Agency (VPA) is required to produce a Protective Data Security Plan (PDSP). OVIC provides guidance and templates for how to achieve this. It is typically produced via one ...

    • Define Consequences: Option 1: Use VPDSF BIL

      This is a one of the options for Defining the Consequences. Option 1: Use VPDSF BIL If Step 1.1 was performed and the Risk Framework hasn't been changed since, the 'Use VPCSF Bill Risk Framework' button will be disabled. If it is enabled, click the ...

    • Determine the Information Asset Value

      This follows on from the VPDSF Setup guide, however this step may be revisited multiple times. Step 2.0 Determine the Information Asset Value The value of an Information Asset is derived from the potential consequences to the organisation that may ...

    • Define Consequences

      This is a one-time setup step required as part of Determining the Information Asset Value. Note: Changing the Risk Categories after classifying Information Assets based on a prior Risk Framework can result in those classifications being broken. Step ...

    • Define System Assets

      This follows on from the VPDSF Setup guide, however this step may be revisited multiple times. Step 1.4 Define System Assets A System Asset refers to any component, whether hardware, software, network, or information system, that is essential to the ...