Using the Victorian Protective Data Security Standards (VPDSS) to Manage 3rd-Party Risk

By Emily Tabet, Cyber Security Consultant, Phronesis Security

As organisations grow, they can find themselves at a crossroads – continue to manage IT internally, or outsource to a third-party provider (also known as a managed service provider, or MSP)? 

The latter can provide a range of benefits, from reduced licence and infrastructure costs, access to a broad range of specialist skillsets, flexibility/scalability, and on-demand IT support that may otherwise not be possible with smaller internal teams. However, without careful management, outsourcing IT can also create dangerous blind spots that can undermine your cybersecurity and overall IT resilience.  

Section 8 ‘Third Party Arrangements’ of the Victorian Protective Data Security Standards (VPDSS) provides a framework that organisations of all shapes and sizes can utilise to mitigate these risks. Despite being designed specifically for the public sector, the principles are highly applicable to any organisation seeking to share data and system access securely with external partners. 

What are the VPDSS? 

Other than being a tongue twister, the Victorian Protective Data Security Standards outline the minimum requirements for any organisation responsible for storing and processing Victorian government information. The standards leverage inspiration from internationally recognised standards and policies such as ISO/IEC 27001:2022, the Information Security Manual (ISM) and the Protective Security Policy Framework (PSPF) to improve the public sector’s ability to manage data from threats such as data theft, ransomware attacks, and loss of system availability to name a few. 

While designed for the needs of the public sector, it is also a great resource for businesses, who can greatly benefit from implementing similar practices to protect data and manage risks, particularly in a landscape where third-party vendors often play a critical role in operations.  

Mitigating Third Party Risk using VPDSS 

Pre-engagement: Set yourself up for success 

Before entering a third-party arrangement, it is crucial that governance structures are in place to ensure third parties are not only capable, but also accountable for maintaining a strong security posture and service reliability. Organisations should embed the specific data protection clauses into contracts as well as audit rights, and termination rights or penalties for non-compliance. 

Some common risks that arise from missing key activities during this stage include: 

• Potential legal and regulatory complications, as third parties may operate out of different jurisdictions to that of the customer (e.g., storing data in data centres overseas).
• Insufficient segregation of duties, especially in environments where third parties manage infrastructure and data, resulting in personnel ‘marking their own work’ when it comes to security or service suitability. 
• Unclear governance or process accountability, where no one takes ownership of critical tasks, increasing the likelihood of non-compliance or system failures. This can also slow down incident response, which can have significant regulatory and financial repercussions.

Elements E8.010, E8.020 and E8.0.40 of the VPDSS defines the governance “guardrails”, aimed to set clear technical security expectations (e.g. KPIs and reporting) that define what third-parties can or cannot do with your data and systems. These expectations should be formalised in service level agreements (SLAs) and contracts, which outline clear responsibility models and segregation of duties to ensure proper oversight throughout the engagement. It is critical that these governance structures are applied throughout the entire lifecycle of the third-party relationship, from pre-engagement assessments through to ongoing operations and post-termination protocols. 

Additionally, before entering a third-party arrangement, E8.030 emphasises the importance of performing an information security risk assessment of the third-party’s service offering and security practices before finalising the arrangement. This can be done via a questionnaire which includes key questions about the provider’s ownership structure, the type of data the third party will have access to, the location in which they operate and store information, and their existing security practices. Answers collated from this questionnaire can be used to inform a risk assessment and identify whether the third party’s security practices align with your security, legal and regulatory requirements. 

Mid-engagement: Consistency is key 

Continuous monitoring of third-party security practices throughout the entire lifecycle of the engagement is essential due to the ever-evolving nature of risks and threats. Element E8.060 states that one such method of doing so is via regular risk assessment review.  

It is crucial that this takes into consideration the evolving needs of the business, as well as the threat landscape. Operational requirements and security technologies that may have been fit-for-purpose last year may no longer be suitable following changes to the structure or operations of the organisation. The underlying context of the organisation should be revisited, as well as the efficacy of controls managed by third parties, which may have reduced or elevated the significance of specific risks and risk treatments. 

Without continuous monitoring of third-party risks, issues such as outdated security measures can arise and render your organisations unprotected against new vulnerabilities and threats. Additionally, third parties may unknowingly introduce risks by adopting new technologies, subcontracting work to unknown parties, or making internal changes that weaken their security posture. The absence of up-to-date information from the third party to support this monitoring may be a red flag that the third party is not meeting its ongoing obligations. In turn, this could potentially result in lapses in technology maintenance, leaving you vulnerable to potential data breaches or operational disruptions. 

Typically, this is managed by an oversight or steering committee composed of representatives from legal, procurement, IT and cybersecurity to provide ongoing assurance that all aspects of the agreement – technical and legal – are being met. 

Managing multiple providers: plan for prioritisation 

It is common for organisations to increasingly rely on third parties over time, with some responsible for critical business functions and others simply helping keep the wheels turning. This can make assessing and managing the varying levels of risk over time a challenge - in these situations, a tiered approach is very useful.  

This involves categorising vendors based on a variety of factors including vendor reputation, the sensitivity and criticality of systems and data they access, and the extent of process responsibility outsourcing (e.g., management of user accounts versus simply providing cloud storage). Accordingly, it is useful to implement tailored strategies for each tier of vendor. This allows organisations to allocate resources effectively, ensuring that high-risk vendors receive more stringent oversight while maintaining a streamlined process for lower-risk relationships.  

Termination and post-engagement: Finish strong 

Lastly, just because a third-party engagement is over does not mean the risk of a security breach has disappeared. Secure termination and post-engagement monitoring is crucial to ensure no sensitive information ended up in the wrong hands either during the engagement or post-termination. 

A common oversight is allowing user access to persist after a contract has ended or failing to enforce clear data retention and deletion policies once the third party no longer requires access. While enforcing this (especially with a good vendor) can seem onerous, an analogy I often use is this: you wouldn't leave your belongings behind at a hotel just because you had a good stay. Secure termination is therefore like checking every room for misplaced valuables before returning your keys.  

In line with E8.090 of the VPDSS, appropriate security controls must be established at the completion or termination of a third-party arrangement. These controls ensure that your organisation remains protected, even after the relationship has ended. Some key considerations for secure termination include: 

• Data deletion procedures - ensuring all your organisation’s data is no longer accessible to third parties and disposed of in accordance with the Archives Act, Australia Privacy Principles, and other industry, regulatory and legal requirements.
• Deactivation of access – review and revoke all vendor access to ensure they no longer have access to your systems. 

Finally, the key to secure termination lies in proactive account management throughout the engagement. By continuously monitoring access controls, data residency, and the vendor's security posture, you set yourself up for success for a smooth and secure termination when the engagement concludes. 

Final Thoughts 

Outsourcing IT management to third parties can provide a broad range of operational benefits – but is not a set-and-forget solution. Ongoing third party risk management requires support and investment from the entire business (not just the cyber security department!) in the form of oversight, clear governance structures, and ongoing assurance checks throughout the lifecycle of the engagement. To set yourself up for success it is crucial to minimise the opportunity for miscommunication or ambiguity that could result in falling victim from attacks originating in the blind spots.