We take your data privacy and security seriously
If you don’t find the answers you’re looking for below, contact us on 03 9270 6900 or contact@vmia.vic.gov.au.
How can I be confident my data is protected?
VMIA’s Self-Assessment Hub is provided by a third-party software service provider, Blue Zoo.
Our Hub’s system design follows the Microsoft Azure Well-Architected Framework and Security Design Principles. Our system applies the industry best practice encryption and development lifecycle aligns with the Microsoft Secure Development Lifecycle.
We regularly conduct risk assessments and independent security testing, and we continuously review our controls, including those involving third-party vendors. Our ongoing monitoring of security and data protection ensures your information remains safe and secure.
Is my data encrypted?
Yes, your data is encrypted in transit and at rest using encryption methods aligned with FIPS 140-2 standards.
Is my data stored in Australia?
Your data is stored within Azure Cloud Australia using only Melbourne and Sydney data centres.
VMIA is bound by Victorian legislation and information management frameworks.
What are our security controls?
We implement industry best practice security controls to identify threats and protect your data within the application and at the network perimeter.
How do we secure and control access?
Our system uses role-based access controls (RBAC) for both client user accounts and VMIA administrative accounts. All VMIA administrator accounts are provisioned through our account lifecycle management processes, which are monitored 24x7.
Client Admin roles are responsible for managing other user accounts affiliated with the client’s organisation.
Is there multi-factor authentication?
All accounts in the system require multi-factor authentication.
Can users in my organisation provide access to others?
Client Admin roles within your organisation can create and manage accounts for users in your organisation. Client Admin users are responsible to ensure that any changes they make are accurate and complete, including removal of user access immediately when no longer required.
Is my data segregated from other users?
Your organisation’s data is segregated from users in other organisations through application-level controls.
Please be aware that the system administrators of our third-party vendor have access to your data, but solely for IT administration purposes only—they can’t share with anyone else.
How will my data be used by VMIA?
VMIA may use the data from the assessments to:
- assist our clients in making informed decisions about cyber risk management
- report de-identified benchmarking results to participating entities
- develop insights to inform risk-based policy and continuous improvement in Government
- monitor the effectiveness of the assessments and other VMIA products and services
- obtain cyber insurance for our clients in the reinsurance market at a competitive price
- fulfil VMIA’s obligations under section 23 of the VMIA Act 1996
We will not use assessment data to calculate individual insurance premiums.
We’ll seek your explicit permission if we wish to share your identifiable data with third parties.
Will personal information be captured?
Yes, but this is limited to each user’s name, role title, email address and phone number for managing the accounts. We’ve conducted a privacy impact assessment, and will continue to monitor privacy risks in compliance with the Privacy and Data Protection Act 2014 (Vic).
Updated