It is important that department and agency IT Asset Registers hold complete and correct data. Missing asset entries can lead to IT assets being overlooked and subsequently unpatched and unmonitored, which can lead to cybersecurity incidents. Missing asset fields can lead to difficulties prioritising assets based on risk and allocating ownership and responsibility.
This guidance defines a minimum standard of asset fields that can be captured for both Application as well as Infrastructure assets. Note that OVIC’s VPDSS provides a minimum standard around Information (Data) assets. This VPDSS Information (Data) Asset Register spreadsheet can be imported into and maintained in your CMDB or Enterprise Architecture system in order to link Information (Data) assets to Application assets more easily.
Please contact the Cyber Security Branch at vicgov.ciso@dpc.vic.gov.au to access the resource WoVG IT Asset Management Data Dictionaries for a detailed breakdown of the recommended Application and Infrastructure fields.
Business Impact Levels
Two main business impact rating systems are used across Victorian Government departments and agencies to indicate Confidentiality, Integrity and Availability consequence (one from OVIC and one used in the Health Sector).
If an agency does not yet use a Business Impact system, or wishes to standardise on one, OVIC’s system is recommended.
The following table describes the OVIC Business Impact Levels:
| Confidentiality (PROTECTED MARKING) | Integrity | Availability |
|---|---|---|
| 5 – Exceptional (TOP SECRET) | 5 - Exceptional | 5 - Exceptional |
| 4 – Serious (SECRET) | 4 - Serious | 4 - Serious |
| 3 – Major (PROTECTED) | 3 - Major | 3 - Major |
| 2 – Limited (OFFICIAL:SENSITIVE) | 2 - Limited | 2 - Limited |
| 1 – Minor (OFFICIAL) | 1 - Minor | 1 - Minor |
| 0 – n.a. (UNOFFICIAL) = no business impact | 0 - n.a. = no impact | 0 - n.a. = no impact |
In some circumstances the aggregation of a data set or multiple data sets may raise the consequence from a Business Impact Level to the next higher one. The combined data itself doesn’t get reclassified at the higher level but the business impact pertaining to the combined datasets, and the cybersecurity controls required to protect against these risks, may be heightened (e.g. a shift from a BIL of 2 to a BIL of 3 for a large aggregation of OFFICIAL:SENSITIVE data).
The health sector in Victoria currently uses ISO 31000: 2018 (VGRMF) / VPHS 2019 Consequence Ratings, a five level system with the following options: Catastrophic, Major, Moderate, Minor, Insignificant/Negligible.
Updated