Victorian Government Cyber Maturity Benchmark FAQ

According to the ACSC, implementing the Essential Eight proactively can be more cost-effective in terms of time, money and effort than having to respond to a large-scale cyber security incident.

Completing the Benchmark self-assessment enables agencies to:

• assess and understand their ability to maintain or improve maturity relative to the current cyber threat environment
• produce reporting that can be used to make decisions about investment in cyber security improvements
• compare their cyber maturity against a whole-of-government benchmark or selected sectors.

The ACSC is committed to providing cyber security advice that is contemporary, contestable and actionable. This includes regular updates to the Essential Eight Maturity Model. The main changes are:

• updating maturity levels and what they represent
• moving to a stronger risk-based approach to implementation
• implementing the mitigation strategies as a package.

For more information see the full ACSC FAQs(opens in a new window) here.

Available Cyber Maturity Benchmark help:

• the Self-Assessment Hub – Cyber Assessments provides instructions on how to complete the self-assessment tool, reporting and benchmarking functionality
• Improving Cyber Maturity with the Essential Eight guide is a starting point for you to understand how to implement the strategies in your organisation
• visit Cyber Maturity Benchmark
• contact VMIA on (03) 9270 6900 or cyberservice@vmia.vic.gov.au
• the Improving Cyber Maturity with the Essential 8 Guide (linked below)

The Cyber Maturity Benchmark is voluntary.

Even if you already know your Essential Eight maturity, participating in the assessment contributes to Victoria’s Cyber Strategy Mission One: The safe and reliable delivery of government services via the Essential Eight monitoring program. Departments and agencies are strongly encouraged to contribute to the management of this State-significant risk by participating in the Benchmark.

The Benchmark aims to measure cyber maturity across the whole of Victorian Government. Therefore, all Victorian Government departments and agencies are encouraged to participate.

Selected non-government organisations may be asked to participate due to their connection to government systems or critical infrastructure.

If you’ve already completed an assessment, you should automatically have access to the self-assessment you’ve completed. If you’re unsure, or are interested in participating in the Benchmark by completing an assessment for the first time, please contact us on (03) 9270 6900 or cyberservice@vmia.vic.gov.au.

The ACSC recommends that you implement the Essential Eight in a graduated manner. Your organisation should decide on your current and desired maturity level based on a number of factors including your sector, size, resources, activities, and risk profile.

In the assessment, coverage refers to the percentage of systems which have implemented the required security controls. The assurance section refers to how recently you’ve had the controls audited; either externally, internally or by a subject-matter expert which could include someone in your organisation with cyber certifications.

Managed Service Providers (MSPs), also known as third-party ICT providers, play a key role in the management and supply of ICT for public sector organisations. Understanding which controls are managed by your MSP is part of having a strong working relationship with your MSP and ensuring your organisation is effectively protected.

Refer to the "Working with Managed Service Providers" section in the below guide for tips.

As soon as a minimum of five agencies in a category have submitted their responses, the benchmarking reports become available. There are a range of filter options for you to compare your agency to others by criteria such as portfolio, sector, budget and number of staff.

Yes, you can still access results from your previous assessment. However, if there’s any update to the Essential Eight model, it may not be a direct comparison with the previous year.

The assessment remains optional, however, the updated Essential Eight model aims to keep pace with the current threat landscape using a risk-based approach to implementation. The latest self-assessment will let you know if your organisation is keeping pace against evolving cyber risk.

You can complete and update your self-assessment as many times as you wish within the Benchmark cycle of each year which will run from September 1st to November 30th annually. In case you need to update the self-assessment after it has been approved, please reach out to us to re-enable the submission

The Essential Eight contains the technical control strategies to implement part of the Victorian Protective Data Security Standards (VPDSS), Standard 11 – ICT Security. You can certainly use the results of your Essential Eight assessment towards your Standard 11 reporting, but it doesn’t replace it.

Additionally, it provides a practical way to implement part of the NIST Cyber Security Framework.

The information you provide for VPDSS Standard 11 – ICT Security, remains with OVIC and is not used for whole of government cyber benchmarking. Alternatively, the responses you develop for VPDSS Standard 11 can be re-used in the self-assessment for the Cyber Maturity Benchmark. Participating in the Benchmark allows you to compare your organisation against others in the Victorian Public Sector.

VMIA will not use the benchmark data to calculate individual insurance premiums.

The Cyber Maturity Benchmark data will be used by the Victorian Department of Government Services (DGS) to:

• understand and report on cyber security maturity across the Victorian Public Sector
• make informed decisions about where to invest in improving cyber security across the Government
• develop targeted capability and peer sharing programs to assist agencies to improve cyber security in priority areas
• report to Government on the overall Essential Eight maturity of public sector organisations.

If the DGS wishes to share your identifiable data with third parties, they will request your permission.

VMIA may use the data from the Benchmark to:

• assist our clients to make informed decisions about cyber risk management
• report de-identified benchmarking results to participating entities
• assist our clients to make informed decisions about cyber risk management
• develop programs, products and services to meet the needs of our clients
• monitor the effectiveness of the Cyber Maturity Benchmark service and other VMIA products and services
• obtain cyber insurance for our clients in the reinsurance market at a competitive price
• fulfil VMIA’s obligations under section 23 of the VMIA Act 1996.

VMIA will not use the Benchmark data to calculate individual insurance premiums.

Content is securely stored and the VMIA is bound by Victorian legislation and information management frameworks.

No. Your results will be de-identified and included in aggregated benchmarking data and reports made available within the VMIA Self-Assessment Hub and in reporting outside the tool.

Benchmarking data and reports are available to other Cyber Maturity Benchmark participants, however, they do not disclose your agency’s identity.

If VMIA or the DGS wishes to share your identifiable data with any third parties, they will need to request your permission to do so.

VMIA and the DGS may use your entity’s results when:

• reporting on cyber security maturity to your portfolio department
• responding to requests from your portfolio department

You will be notified of any future additional uses of the data held in the Cyber Maturity Benchmark before they are implemented.

Participation in the Cyber Maturity Benchmark is voluntary, and you may delete the data relating to your entity at any time.

Yes, multiple people in your agency can have access to the Benchmark. To learn more about the different user roles, please refer to the Self-Assessment Hub user guide.