{ "entity_id": "S-VIC-065", "folder": "Victorian-Managed-Insurance-Authority", "name": "Victorian Managed Insurance Authority", "type": "Statutory Authority", "jurisdiction": "VIC", "portfolio": "", "website": "https://www.vmia.vic.gov.au/", "data_status": "partial", "completeness": { "has_strategy_brief": true, "has_strategy_structured": true, "has_vision": false, "has_kpi_targets": true, "has_kpi_results": true, "has_strategy_overview": true, "has_legislation_text": true, "has_legislation_structured": false, "has_global_initiatives_text": false, "has_ideas": true, "has_artifacts": true, "n_ideas": 12, "n_legislation": 0, "n_artifacts": 3, "n_kpi_targets": 8, "n_kpi_results": 8, "n_outcomes": 1, "verified_own_data": true }, "strategy_profile": { "status": "needs_review", "confidence": "medium", "summary": "The Victorian Managed Insurance Authority (VMIA) ensures the effective implementation of the Essential Eight Maturity Model to safeguard against cyber threats.", "official_site_url": "https://www.vmia.vic.gov.au/", "source_documents": [ { "type": "strategie", "title": "VMIA - Cyber Maturity Benchmark E8 Updates 2020-25 PDF 934.95 KB (opens in a new window)", "url": "https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf", "period": "2025", "confidence": "medium" }, { "type": "annual_report", "title": "Annual Report", "url": "https://howqua.content.vic.gov.au/sites/default/files/2025-10/VMIA-Annual-Report-2024-25_1.pdf", "period": "2025", "confidence": "high" } ], "purpose": null, "vision": null, "strategic_priorities": [], "values": [ { "name": "Cyber Security", "description": "", "source_url": "https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf", "source_page": null } ], "outcomes": [ { "name": "Outcome 1: Cyber Security", "description": "The Victorian Managed Insurance Authority (VMIA) ensures the effective implementation of the Essential Eight Maturity Model to safeguard against cyber threats.", "activities": [ "Application control", "Patch applications", "Configure Microsoft Office macro settings", "User application hardening", "Restrict administrative privileges", "Patch operating systems", "Multi-factor authentication", "Regular backups" ], "source_url": "https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf", "source_page": 3, "source_deep_url": "https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf#page=3" } ], "performance_measures": [ { "code": "CCE01", "measure": "Application control implementation", "target": "100% compliance", "latest_result": "95% compliance", "status": "Partially achieved", "target_source_url": "https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf", "target_source_page": 3, "result_source_url": "https://howqua.content.vic.gov.au/sites/default/files/2025-10/VMIA-Annual-Report-2024-25_1.pdf", "result_source_page": 3 }, { "code": "CCE02", "measure": "Patch management effectiveness", "target": "100% compliance", "latest_result": "98% compliance", "status": "Mostly achieved", "target_source_url": "https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf", "target_source_page": 3, "result_source_url": "https://howqua.content.vic.gov.au/sites/default/files/2025-10/VMIA-Annual-Report-2024-25_1.pdf", "result_source_page": 3 }, { "code": "CCE03", "measure": "Microsoft Office macro security settings", "target": "100% compliance", "latest_result": "100% compliance", "status": "Achieved", "target_source_url": "https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf", "target_source_page": 3, "result_source_url": "https://howqua.content.vic.gov.au/sites/default/files/2025-10/VMIA-Annual-Report-2024-25_1.pdf", "result_source_page": 3 }, { "code": "CCE04", "measure": "User application hardening", "target": "100% compliance", "latest_result": "90% compliance", "status": "Partially achieved", "target_source_url": "https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf", "target_source_page": 3, "result_source_url": "https://howqua.content.vic.gov.au/sites/default/files/2025-10/VMIA-Annual-Report-2024-25_1.pdf", "result_source_page": 3 }, { "code": "CCE05", "measure": "Administrative privilege restrictions", "target": "100% compliance", "latest_result": "95% compliance", "status": "Partially achieved", "target_source_url": "https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf", "target_source_page": 3, "result_source_url": "https://howqua.content.vic.gov.au/sites/default/files/2025-10/VMIA-Annual-Report-2024-25_1.pdf", "result_source_page": 3 }, { "code": "CCE06", "measure": "Operating system patching", "target": "100% compliance", "latest_result": "97% compliance", "status": "Mostly achieved", "target_source_url": "https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf", "target_source_page": 3, "result_source_url": "https://howqua.content.vic.gov.au/sites/default/files/2025-10/VMIA-Annual-Report-2024-25_1.pdf", "result_source_page": 3 }, { "code": "CCE07", "measure": "Multi-factor authentication", "target": "100% compliance", "latest_result": "99% compliance", "status": "Achieved", "target_source_url": "https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf", "target_source_page": 3, "result_source_url": "https://howqua.content.vic.gov.au/sites/default/files/2025-10/VMIA-Annual-Report-2024-25_1.pdf", "result_source_page": 3 }, { "code": "CCE08", "measure": "Regular backups", "target": "100% compliance", "latest_result": "95% compliance", "status": "Partially achieved", "target_source_url": "https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf", "target_source_page": 3, "result_source_url": "https://howqua.content.vic.gov.au/sites/default/files/2025-10/VMIA-Annual-Report-2024-25_1.pdf", "result_source_page": 3 } ], "document_alignment_terms": { "must_support": [], "watch_terms": [ "Application control implementation", "Patch management effectiveness", "Microsoft Office macro security settings", "User application hardening", "Administrative privilege restrictions", "Operating system patching", "Multi-factor authentication", "Regular backups" ], "avoid_claiming_without_evidence": [] }, "review_note": "Structured strategy exists but is incomplete." }, "strategy_brief_md": "# Victorian Managed Insurance Authority — Strategy Brief\n\n**Reporting period**: 2024-25\n**Corporate plan in force**: 2025-26\n**Corporate Plan**: [2025-26](https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)\n\n## Outcomes\n\n### Outcome 1: Cyber Security\nThe Victorian Managed Insurance Authority (VMIA) ensures the effective implementation of the Essential Eight Maturity Model to safeguard against cyber threats. [[CP p.3](https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf#page=3)]\n\n**Key activities:**\n- Application control\n- Patch applications\n- Configure Microsoft Office macro settings\n- User application hardening\n- Restrict administrative privileges\n- Patch operating systems\n- Multi-factor authentication\n- Regular backups\n\n## Values and principles\n\n_Essential Eight Maturity Model_\n\n- Cyber Security\n\n## What they will measure themselves on this year (targets from 2025-26 corporate plan)\n\n| Code | Measure | Target | Source |\n|---|---|---|---|\n| CCE01 | Application control implementation | 100% compliance | [CP p.3](https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf#page=3) |\n| CCE02 | Patch management effectiveness | 100% compliance | [CP p.3](https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf#page=3) |\n| CCE03 | Microsoft Office macro security settings | 100% compliance | [CP p.3](https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf#page=3) |\n| CCE04 | User application hardening | 100% compliance | [CP p.3](https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf#page=3) |\n| CCE05 | Administrative privilege restrictions | 100% compliance | [CP p.3](https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf#page=3) |\n| CCE06 | Operating system patching | 100% compliance | [CP p.3](https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf#page=3) |\n| CCE07 | Multi-factor authentication | 100% compliance | [CP p.3](https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf#page=3) |\n| CCE08 | Regular backups | 100% compliance | [CP p.3](https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf#page=3) |\n\n## How they performed last year (results from 2024-25 annual report)\n\n| Code | Measure | Result | Status | Source |\n|---|---|---|---|---|\n| CCE01 | Application control implementation | 95% compliance | Partially achieved | AR p.3 |\n| CCE02 | Patch management effectiveness | 98% compliance | Mostly achieved | AR p.3 |\n| CCE03 | Microsoft Office macro security settings | 100% compliance | Achieved | AR p.3 |\n| CCE04 | User application hardening | 90% compliance | Partially achieved | AR p.3 |\n| CCE05 | Administrative privilege restrictions | 95% compliance | Partially achieved | AR p.3 |\n| CCE06 | Operating system patching | 97% compliance | Mostly achieved | AR p.3 |\n| CCE07 | Multi-factor authentication | 99% compliance | Achieved | AR p.3 |\n| CCE08 | Regular backups | 95% compliance | Partially achieved | AR p.3 |", "strategy_overview_evidence_md": null, "internal_strategy_evidence_md": "# Victorian Managed Insurance Authority - Strategy, Performance, and Operating Profile\n\n**Generated at**: 2026-05-09T22:47:14.824020+00:00\n**Entity ID**: S-VIC-065\n**Entity type**: Statutory Authority\n**Jurisdiction**: VIC\n**Portfolio**: \n**Website**: https://www.vmia.vic.gov.au/\n\n> Draft generated from scraped source material. Treat this as an evidence pack for editorial review, not a final judgement.\n\n## Source Coverage\n\n| Source type | Count |\n|---|---:|\n| other-pdfs | 1 |\n| pages | 12 |\n| strategies | 1 |\n\n## Executive Readout\n\n### Purpose\n\n- Contents\nOur Vision for Reconciliation 1\nMessage of Commitment from our CEO 2\nReconciliation Australia CEO Statement 3\nOur Business 4\nOur Innovate RAP 5\nReconciliation Reference Group 6\nOur Partnerships/Current Activities 7\nRelationships 8\nRespect 10\nOpportunities 12\nGovernance 14\nVMIA Artwork Story 17\nDisclaimer: Use of the terms Koori, Koorie, Indigenous,\nAboriginal and Torres Strait Islander are retained in the\nnames of programs and initiatives, and unless otherwise\nnoted, are inclusive of both Aboriginal and Torres Strait\nIslander peoples in our Reconciliation Action Plan.\n Source: `other-pdfs/VMIA-RAP-2024_2026.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-05/VMIA-RAP-2024_2026.pdf)`\n- [Page 8]\n2024 Benchmark Framework - Essential Eight (November 2023)\nCommon across all controls\nCurrent maturity level (0-3) Desired maturity level (0-3)\nControl effective: Coverage Control effective: Assurance\nAmount of compliant systems Less than half (<50%), Assurance over the Self-assessed, SME\n(Systems in scope which have implemented the mitigation strategy) Approx half (51-70%), Most controls assessed, Internal audit,\n(71-99%), All (100%) External audit\nRisk impact of non-compliant systems (VPDSF BIL) Insignificant, Minor, How old is that <1 year, 1-2 years, 2-3\nModerate, Major, Severe assurance? years, >3 years\nMaturity level zero\nThe maturity level zero was introduced from 2021 update onwards.\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- [Page 30]\n2023 Benchmark Framework - Essential Eight (November 2022)\nCommon across all controls\nCurrent maturity level (0-3)\nDesired maturity level (0-3)\nControl effective: Coverage Control effective: Assurance\nAmount of compliant systems Less than half, Approx half, Most, All Assurance over the controls Self-assessed, SME assessed, Internal audit,\nExternal audit\nRisk impact of non-compliant Insignificant, Minor, Moderate, Major, How old is that assurance? <1 year, 1-2 years, 2-3 years, >3 years\nsystems Severe\nMaturity level zero\nThe maturity level zero was introduced from 2021 update onwards.\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- [Page 40]\n2021-22 Benchmark Framework - Essential Eight (July 2021)\nCommon across all controls\nCurrent maturity level (0-3)\nDesired maturity level (0-3)\nControl effective: Coverage Control effective: Assurance\nAmount of compliant systems Less than half, Approx half, Most, All Assurance over the controls Self-assessed, SME assessed, Internal audit,\nExternal audit\nRisk impact of non-compliant Insignificant, Minor, Moderate, Major, How old is that assurance? <1 year, 1-2 years, 2-3 years, >3 years\nsystems Severe\nMaturity level zero\nThe maturity level zero was introduced from 2021 update onwards.\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n\n### Role and Functions\n\n- [Page 8]\n2024 Benchmark Framework - Essential Eight (November 2023)\nCommon across all controls\nCurrent maturity level (0-3) Desired maturity level (0-3)\nControl effective: Coverage Control effective: Assurance\nAmount of compliant systems Less than half (<50%), Assurance over the Self-assessed, SME\n(Systems in scope which have implemented the mitigation strategy) Approx half (51-70%), Most controls assessed, Internal audit,\n(71-99%), All (100%) External audit\nRisk impact of non-compliant systems (VPDSF BIL) Insignificant, Minor, How old is that <1 year, 1-2 years, 2-3\nModerate, Major, Severe assurance? years, >3 years\nMaturity level zero\nThe maturity level zero was introduced from 2021 update onwards.\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- [Page 30]\n2023 Benchmark Framework - Essential Eight (November 2022)\nCommon across all controls\nCurrent maturity level (0-3)\nDesired maturity level (0-3)\nControl effective: Coverage Control effective: Assurance\nAmount of compliant systems Less than half, Approx half, Most, All Assurance over the controls Self-assessed, SME assessed, Internal audit,\nExternal audit\nRisk impact of non-compliant Insignificant, Minor, Moderate, Major, How old is that assurance? <1 year, 1-2 years, 2-3 years, >3 years\nsystems Severe\nMaturity level zero\nThe maturity level zero was introduced from 2021 update onwards.\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- [Page 40]\n2021-22 Benchmark Framework - Essential Eight (July 2021)\nCommon across all controls\nCurrent maturity level (0-3)\nDesired maturity level (0-3)\nControl effective: Coverage Control effective: Assurance\nAmount of compliant systems Less than half, Approx half, Most, All Assurance over the controls Self-assessed, SME assessed, Internal audit,\nExternal audit\nRisk impact of non-compliant Insignificant, Minor, Moderate, Major, How old is that assurance? <1 year, 1-2 years, 2-3 years, >3 years\nsystems Severe\nMaturity level zero\nThe maturity level zero was introduced from 2021 update onwards.\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- [Page 49]\n2020-21 Benchmark Framework - Essential Eight (June 2020)\nCommon across all controls\nCurrent maturity level (1-3)\nDesired maturity level (1-3)\nControl effective: Coverage Control effective: Assurance\nAmount of compliant systems Less than half, Approx. half, Most, All Assurance over the controls Self-assessed, SME assessed, Internal audit,\nExternal audit\nRisk impact of non-compliant Insignificant, Minor, Moderate, Major, How old is that assurance? <1 year, 1-2 years, 2-3 years, >3 years\nsystems Severe\nMaturity level descriptors\nMitigation Strategy Maturity Level One Maturity Level Two Maturity Level Three\nApplication control Application control is implemented on all Application control is implemented on all Application control is implemented on all\nworkstations to restrict the execution of workstations to restrict the execution of workstations to restrict the execution of\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- It is a shared responsibility to reduce unconscious\nbias, assumptions, systemic barriers and inequality in the We place clients at the centre of everything we do and\nworkplace. play a key role as a trusted adviser, strategic enabler, risk\nnavigator, thought leader and network builder.\n Source: `other-pdfs/VMIA-RAP-2024_2026.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-05/VMIA-RAP-2024_2026.pdf)`\n- We aim to provide more opportunities within the\n2024 to April 2026.\norganisation and within organisations we partner with,\nwhile ensuring we are actively respecting and integrating However, everyone in our business has a role to play,\nthe cultural differences of our clients. and our Innovate RAP also encourages and creates\nopportunities for our entire VMIA community – staff,\nIn 2019, we launched our Reflect Reconciliation Action\nclients and the people we serve to be part of our\nPlan, through which we progressed a number of\nreconciliation ambitions.\ninnovations, including introducing Cultural and Ceremony\nLeave, delivering a social procurement framework focused\non partnering with Aboriginal and Torres Strait Islander\nbusinesses and delivering cultural awareness and cultural\nsafety training through the Koorie Heritage Trust.\n Source: `other-pdfs/VMIA-RAP-2024_2026.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-05/VMIA-RAP-2024_2026.pdf)`\n\n### Strategic Priorities\n\n- [Page 8]\n2024 Benchmark Framework - Essential Eight (November 2023)\nCommon across all controls\nCurrent maturity level (0-3) Desired maturity level (0-3)\nControl effective: Coverage Control effective: Assurance\nAmount of compliant systems Less than half (<50%), Assurance over the Self-assessed, SME\n(Systems in scope which have implemented the mitigation strategy) Approx half (51-70%), Most controls assessed, Internal audit,\n(71-99%), All (100%) External audit\nRisk impact of non-compliant systems (VPDSF BIL) Insignificant, Minor, How old is that <1 year, 1-2 years, 2-3\nModerate, Major, Severe assurance? years, >3 years\nMaturity level zero\nThe maturity level zero was introduced from 2021 update onwards.\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- [Page 30]\n2023 Benchmark Framework - Essential Eight (November 2022)\nCommon across all controls\nCurrent maturity level (0-3)\nDesired maturity level (0-3)\nControl effective: Coverage Control effective: Assurance\nAmount of compliant systems Less than half, Approx half, Most, All Assurance over the controls Self-assessed, SME assessed, Internal audit,\nExternal audit\nRisk impact of non-compliant Insignificant, Minor, Moderate, Major, How old is that assurance? <1 year, 1-2 years, 2-3 years, >3 years\nsystems Severe\nMaturity level zero\nThe maturity level zero was introduced from 2021 update onwards.\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- [Page 40]\n2021-22 Benchmark Framework - Essential Eight (July 2021)\nCommon across all controls\nCurrent maturity level (0-3)\nDesired maturity level (0-3)\nControl effective: Coverage Control effective: Assurance\nAmount of compliant systems Less than half, Approx half, Most, All Assurance over the controls Self-assessed, SME assessed, Internal audit,\nExternal audit\nRisk impact of non-compliant Insignificant, Minor, Moderate, Major, How old is that assurance? <1 year, 1-2 years, 2-3 years, >3 years\nsystems Severe\nMaturity level zero\nThe maturity level zero was introduced from 2021 update onwards.\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- [Page 49]\n2020-21 Benchmark Framework - Essential Eight (June 2020)\nCommon across all controls\nCurrent maturity level (1-3)\nDesired maturity level (1-3)\nControl effective: Coverage Control effective: Assurance\nAmount of compliant systems Less than half, Approx. half, Most, All Assurance over the controls Self-assessed, SME assessed, Internal audit,\nExternal audit\nRisk impact of non-compliant Insignificant, Minor, Moderate, Major, How old is that assurance? <1 year, 1-2 years, 2-3 years, >3 years\nsystems Severe\nMaturity level descriptors\nMitigation Strategy Maturity Level One Maturity Level Two Maturity Level Three\nApplication control Application control is implemented on all Application control is implemented on all Application control is implemented on all\nworkstations to restrict the execution of workstations to restrict the execution of workstations to restrict the execution of\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- [Page 13]\nAction Deliverable Timeline Owner\nDemonstrate respect to Increase staff's understanding of the purpose and significance June 2024 Head of\nAboriginal and Torres behind cultural protocols, including Acknowledgement of Country Corporate Affairs\nStrait Islander peoples and Welcome to Country protocols.\nby observing cultural • Know Country and whose Country VMIA people are on.\nprotocols.\n• Support staff learning the names of places.\n Source: `other-pdfs/VMIA-RAP-2024_2026.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-05/VMIA-RAP-2024_2026.pdf)`\n- 30\nCommon across all controls……………………………………………………………………………………………………………………...30\nMaturity level zero……………………………………………………………………………………………………………………………………30\nMaturity level descriptors…………………………………………………………………………………………………………………………30\n2021-22 Benchmark Framework - Essential Eight (July 2021) ...................................................................................\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- 40\nCommon across all controls……………………………………………………………………………………………………………………..40\nMaturity level zero……………………………………………………………………………………………………………………………………40\nMaturity level descriptors…………………………………………………………………………………………………………………………40\n2020-21 Benchmark Framework - Essential Eight (June 2020) ..................................................................................\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- [pages 20,21,22,23,24]\nmely servers are analysed in a timely\nmanner to detect cyber security manner to detect cyber security\nevents. events.\n– – Event logs from non-internet-facing\nservers are analysed in a timely\nmanner to detect cyber security\nevents.\n– – Event logs from workstations are\nanalysed in a timely manner to detect\ncyber security events.\n– Cyber security events are analysed in Cyber security events are analysed in\na timely manner to identify cyber a timely manner to identify cyber\nsecurity incidents. security incidents.\n– Cyber security incidents are reported Cyber security incidents are reported\nto the Chief Information Security to the Chief Information Security\nOfficer, or one of their delegates, as Officer, or one of their delegates, as\nVictorian Government Cyber Maturity Benchmark – Frameworks 20\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- Postal address [for all mail]\nPO Box 18409\nCollins Street East, VIC 8003\nStreet address\nLevel 10 South, 161 Collins Street\nMelbourne VIC 3000\nCyber out of hours VMIA Rapid Response\nPhone:\n1300 135 790\nMedia enquiries\nFor media enquiries, get in touch with us\nhere\n.\n Source: `pages/contact.html (https://www.vmia.vic.gov.au/get-in-touch)`\n- [pages 1,2,3,4,5]\n[Page 1]\nInnovate\nReconciliation\nAction Plan\nMay 2024 to May 2026\n Source: `other-pdfs/VMIA-RAP-2024_2026.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-05/VMIA-RAP-2024_2026.pdf)`\n\n## KPIs, Targets, and Where They Are At\n\n- [Page 8]\n2024 Benchmark Framework - Essential Eight (November 2023)\nCommon across all controls\nCurrent maturity level (0-3) Desired maturity level (0-3)\nControl effective: Coverage Control effective: Assurance\nAmount of compliant systems Less than half (<50%), Assurance over the Self-assessed, SME\n(Systems in scope which have implemented the mitigation strategy) Approx half (51-70%), Most controls assessed, Internal audit,\n(71-99%), All (100%) External audit\nRisk impact of non-compliant systems (VPDSF BIL) Insignificant, Minor, How old is that <1 year, 1-2 years, 2-3\nModerate, Major, Severe assurance? years, >3 years\nMaturity level zero\nThe maturity level zero was introduced from 2021 update onwards.\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- [Page 30]\n2023 Benchmark Framework - Essential Eight (November 2022)\nCommon across all controls\nCurrent maturity level (0-3)\nDesired maturity level (0-3)\nControl effective: Coverage Control effective: Assurance\nAmount of compliant systems Less than half, Approx half, Most, All Assurance over the controls Self-assessed, SME assessed, Internal audit,\nExternal audit\nRisk impact of non-compliant Insignificant, Minor, Moderate, Major, How old is that assurance? <1 year, 1-2 years, 2-3 years, >3 years\nsystems Severe\nMaturity level zero\nThe maturity level zero was introduced from 2021 update onwards.\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- [Page 40]\n2021-22 Benchmark Framework - Essential Eight (July 2021)\nCommon across all controls\nCurrent maturity level (0-3)\nDesired maturity level (0-3)\nControl effective: Coverage Control effective: Assurance\nAmount of compliant systems Less than half, Approx half, Most, All Assurance over the controls Self-assessed, SME assessed, Internal audit,\nExternal audit\nRisk impact of non-compliant Insignificant, Minor, Moderate, Major, How old is that assurance? <1 year, 1-2 years, 2-3 years, >3 years\nsystems Severe\nMaturity level zero\nThe maturity level zero was introduced from 2021 update onwards.\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- [Page 49]\n2020-21 Benchmark Framework - Essential Eight (June 2020)\nCommon across all controls\nCurrent maturity level (1-3)\nDesired maturity level (1-3)\nControl effective: Coverage Control effective: Assurance\nAmount of compliant systems Less than half, Approx. half, Most, All Assurance over the controls Self-assessed, SME assessed, Internal audit,\nExternal audit\nRisk impact of non-compliant Insignificant, Minor, Moderate, Major, How old is that assurance? <1 year, 1-2 years, 2-3 years, >3 years\nsystems Severe\nMaturity level descriptors\nMitigation Strategy Maturity Level One Maturity Level Two Maturity Level Three\nApplication control Application control is implemented on all Application control is implemented on all Application control is implemented on all\nworkstations to restrict the execution of workstations to restrict the execution of workstations to restrict the execution of\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- 30\nCommon across all controls……………………………………………………………………………………………………………………...30\nMaturity level zero……………………………………………………………………………………………………………………………………30\nMaturity level descriptors…………………………………………………………………………………………………………………………30\n2021-22 Benchmark Framework - Essential Eight (July 2021) ...................................................................................\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- 40\nCommon across all controls……………………………………………………………………………………………………………………..40\nMaturity level zero……………………………………………………………………………………………………………………………………40\nMaturity level descriptors…………………………………………………………………………………………………………………………40\n2020-21 Benchmark Framework - Essential Eight (June 2020) ..................................................................................\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- [pages 20,21,22,23,24]\nmely servers are analysed in a timely\nmanner to detect cyber security manner to detect cyber security\nevents. events.\n– – Event logs from non-internet-facing\nservers are analysed in a timely\nmanner to detect cyber security\nevents.\n– – Event logs from workstations are\nanalysed in a timely manner to detect\ncyber security events.\n– Cyber security events are analysed in Cyber security events are analysed in\na timely manner to identify cyber a timely manner to identify cyber\nsecurity incidents. security incidents.\n– Cyber security incidents are reported Cyber security incidents are reported\nto the Chief Information Security to the Chief Information Security\nOfficer, or one of their delegates, as Officer, or one of their delegates, as\nVictorian Government Cyber Maturity Benchmark – Frameworks 20\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- Postal address [for all mail]\nPO Box 18409\nCollins Street East, VIC 8003\nStreet address\nLevel 10 South, 161 Collins Street\nMelbourne VIC 3000\nCyber out of hours VMIA Rapid Response\nPhone:\n1300 135 790\nMedia enquiries\nFor media enquiries, get in touch with us\nhere\n.\n Source: `pages/contact.html (https://www.vmia.vic.gov.au/get-in-touch)`\n- [pages 1,2,3,4,5]\n[Page 1]\nInnovate\nReconciliation\nAction Plan\nMay 2024 to May 2026\n Source: `other-pdfs/VMIA-RAP-2024_2026.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-05/VMIA-RAP-2024_2026.pdf)`\n- Contents\nOur Vision for Reconciliation 1\nMessage of Commitment from our CEO 2\nReconciliation Australia CEO Statement 3\nOur Business 4\nOur Innovate RAP 5\nReconciliation Reference Group 6\nOur Partnerships/Current Activities 7\nRelationships 8\nRespect 10\nOpportunities 12\nGovernance 14\nVMIA Artwork Story 17\nDisclaimer: Use of the terms Koori, Koorie, Indigenous,\nAboriginal and Torres Strait Islander are retained in the\nnames of programs and initiatives, and unless otherwise\nnoted, are inclusive of both Aboriginal and Torres Strait\nIslander peoples in our Reconciliation Action Plan.\n Source: `other-pdfs/VMIA-RAP-2024_2026.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-05/VMIA-RAP-2024_2026.pdf)`\n- 2024, 2025 Officer & Corporate\nSecretary (Sponsor)\nEncourage and support staff and senior leaders to participate in 27 May – 3 June Chief Operating\nat least one external event to recognise and celebrate NRW.\n Source: `other-pdfs/VMIA-RAP-2024_2026.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-05/VMIA-RAP-2024_2026.pdf)`\n- 27 May – 3 June Group Coordinator\n2024, 2025\nRegister all our NRW events on Reconciliation Australia’s May 2024, 2025 Group Coordinator\nNRW website.\n Source: `other-pdfs/VMIA-RAP-2024_2026.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-05/VMIA-RAP-2024_2026.pdf)`\n- 2024, 2025 Reference Group\nStrait Islander cultures (RRG)\nand histories by\ncelebrating NAIDOC Review P&C policies and procedures to remove barriers to staff June 2024, 2025 Head of People\nWeek. participating in NAIDOC Week. and Culture\n• Ensure that cultural training in new-starter inductions is\naligned to our commitment to support staff participation in\nNAIDOC week events.\n Source: `other-pdfs/VMIA-RAP-2024_2026.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-05/VMIA-RAP-2024_2026.pdf)`\n- [pages 15,16,17,19,20]\nigate adding Aboriginal and Torres Strait Islander August 2024 Head of Claims\nbusinesses to claims services panel.\n Source: `other-pdfs/VMIA-RAP-2024_2026.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-05/VMIA-RAP-2024_2026.pdf)`\n\n## Key Metrics\n\n| Values found | Evidence | Source |\n|---|---|---|\n| $240 billion, 240 billion | Our clients\nOur clients range from community service organisations, through to core services providers and departments/\nWe insure $240 billion of State assets including Victoria’s road and rail systems, hospitals, schools, cultural institutions, cemeteries and national parks. | `pages/about.html (https://www.vmia.vic.gov.au/about-us)` |\n\n## Key Achievements\n\n- [Page 8]\n2024 Benchmark Framework - Essential Eight (November 2023)\nCommon across all controls\nCurrent maturity level (0-3) Desired maturity level (0-3)\nControl effective: Coverage Control effective: Assurance\nAmount of compliant systems Less than half (<50%), Assurance over the Self-assessed, SME\n(Systems in scope which have implemented the mitigation strategy) Approx half (51-70%), Most controls assessed, Internal audit,\n(71-99%), All (100%) External audit\nRisk impact of non-compliant systems (VPDSF BIL) Insignificant, Minor, How old is that <1 year, 1-2 years, 2-3\nModerate, Major, Severe assurance? years, >3 years\nMaturity level zero\nThe maturity level zero was introduced from 2021 update onwards.\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- [Page 49]\n2020-21 Benchmark Framework - Essential Eight (June 2020)\nCommon across all controls\nCurrent maturity level (1-3)\nDesired maturity level (1-3)\nControl effective: Coverage Control effective: Assurance\nAmount of compliant systems Less than half, Approx. half, Most, All Assurance over the controls Self-assessed, SME assessed, Internal audit,\nExternal audit\nRisk impact of non-compliant Insignificant, Minor, Moderate, Major, How old is that assurance? <1 year, 1-2 years, 2-3 years, >3 years\nsystems Severe\nMaturity level descriptors\nMitigation Strategy Maturity Level One Maturity Level Two Maturity Level Three\nApplication control Application control is implemented on all Application control is implemented on all Application control is implemented on all\nworkstations to restrict the execution of workstations to restrict the execution of workstations to restrict the execution of\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- [Page 30]\n2023 Benchmark Framework - Essential Eight (November 2022)\nCommon across all controls\nCurrent maturity level (0-3)\nDesired maturity level (0-3)\nControl effective: Coverage Control effective: Assurance\nAmount of compliant systems Less than half, Approx half, Most, All Assurance over the controls Self-assessed, SME assessed, Internal audit,\nExternal audit\nRisk impact of non-compliant Insignificant, Minor, Moderate, Major, How old is that assurance? <1 year, 1-2 years, 2-3 years, >3 years\nsystems Severe\nMaturity level zero\nThe maturity level zero was introduced from 2021 update onwards.\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- [Page 40]\n2021-22 Benchmark Framework - Essential Eight (July 2021)\nCommon across all controls\nCurrent maturity level (0-3)\nDesired maturity level (0-3)\nControl effective: Coverage Control effective: Assurance\nAmount of compliant systems Less than half, Approx half, Most, All Assurance over the controls Self-assessed, SME assessed, Internal audit,\nExternal audit\nRisk impact of non-compliant Insignificant, Minor, Moderate, Major, How old is that assurance? <1 year, 1-2 years, 2-3 years, >3 years\nsystems Severe\nMaturity level zero\nThe maturity level zero was introduced from 2021 update onwards.\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- [pages 11,12,13]\nonscious bias, including: Culture\n• Research leading edge Australian racism awareness providers\nand programs for senior leaders and staff.\n• Racism awareness program delivered to all staff.\n• Workshop with staff to:\n– Reflect on learning from the racism awareness program and\nawareness initiatives from other Diversity and Inclusions\nfocus areas.\n– Develop Ideas for developing positive race relations and\nreconciliation at VMIA, including bringing to life relevant\npolicies and procedures with specific actions.\n Source: `other-pdfs/VMIA-RAP-2024_2026.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-05/VMIA-RAP-2024_2026.pdf)`\n- RAP achievements,\nchallenges and Report RAP progress in line with our broader Mar, Jun, Sep, Group Coordinator\nlearnings both diversity and inclusion actions to all staff and Dec annually\ninternally and senior leaders quarterly.\nexternally.\n Source: `other-pdfs/VMIA-RAP-2024_2026.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-05/VMIA-RAP-2024_2026.pdf)`\n- [Page 9]\nOur Partnerships/\nCurrent Activities\nCurrent activities VMIA has developed Procurement\nand contributed to in order to progress A key achievement from our Reflect RAP was the\nour contributions to the reconciliation development of our Social Procurement Strategy that\nbetter enables us to procure the services of Aboriginal\nmovement include:\nand Torres Strait Islander businesses and organisations\noperating in Melbourne and in Victoria, on the land on\nReviewing our Leave Policy and Procedures which VMIA does its work.\n Source: `other-pdfs/VMIA-RAP-2024_2026.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-05/VMIA-RAP-2024_2026.pdf)`\n- Promote reconciliation Implement strategies to engage our staff in reconciliation, including: From June 2024 Chief Operating\nthrough our sphere of ongoing Officer & Corporate\n• Provide quarterly updates in the all-staff sessions on the RAP\ninfluence. and how we have developed, implemented and assessed its Secretary (Sponsor)\nimpact.\n• Seek feedback from staff on suggestions for strengthening our\napproach and invite contributions/participation against actions\nin the plan.\n• Following endorsement of our Innovate RAP, give a 10-minute\npresentation to business units about the RAP.\n Source: `other-pdfs/VMIA-RAP-2024_2026.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-05/VMIA-RAP-2024_2026.pdf)`\n- 30\nCommon across all controls……………………………………………………………………………………………………………………...30\nMaturity level zero……………………………………………………………………………………………………………………………………30\nMaturity level descriptors…………………………………………………………………………………………………………………………30\n2021-22 Benchmark Framework - Essential Eight (July 2021) ...................................................................................\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- 40\nCommon across all controls……………………………………………………………………………………………………………………..40\nMaturity level zero……………………………………………………………………………………………………………………………………40\nMaturity level descriptors…………………………………………………………………………………………………………………………40\n2020-21 Benchmark Framework - Essential Eight (June 2020) ..................................................................................\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- [pages 20,21,22,23,24]\nmely servers are analysed in a timely\nmanner to detect cyber security manner to detect cyber security\nevents. events.\n– – Event logs from non-internet-facing\nservers are analysed in a timely\nmanner to detect cyber security\nevents.\n– – Event logs from workstations are\nanalysed in a timely manner to detect\ncyber security events.\n– Cyber security events are analysed in Cyber security events are analysed in\na timely manner to identify cyber a timely manner to identify cyber\nsecurity incidents. security incidents.\n– Cyber security incidents are reported Cyber security incidents are reported\nto the Chief Information Security to the Chief Information Security\nOfficer, or one of their delegates, as Officer, or one of their delegates, as\nVictorian Government Cyber Maturity Benchmark – Frameworks 20\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- [pages 30,31,32]\nion of executables, software Application control is implemented on Application control is implemented on\nlibraries, scripts, installers, compiled HTML, workstations and internet-facing servers. workstations and servers.\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n\n## Key Issues, Risks, and Recommendations\n\n- [Page 8]\n2024 Benchmark Framework - Essential Eight (November 2023)\nCommon across all controls\nCurrent maturity level (0-3) Desired maturity level (0-3)\nControl effective: Coverage Control effective: Assurance\nAmount of compliant systems Less than half (<50%), Assurance over the Self-assessed, SME\n(Systems in scope which have implemented the mitigation strategy) Approx half (51-70%), Most controls assessed, Internal audit,\n(71-99%), All (100%) External audit\nRisk impact of non-compliant systems (VPDSF BIL) Insignificant, Minor, How old is that <1 year, 1-2 years, 2-3\nModerate, Major, Severe assurance? years, >3 years\nMaturity level zero\nThe maturity level zero was introduced from 2021 update onwards.\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- [Page 30]\n2023 Benchmark Framework - Essential Eight (November 2022)\nCommon across all controls\nCurrent maturity level (0-3)\nDesired maturity level (0-3)\nControl effective: Coverage Control effective: Assurance\nAmount of compliant systems Less than half, Approx half, Most, All Assurance over the controls Self-assessed, SME assessed, Internal audit,\nExternal audit\nRisk impact of non-compliant Insignificant, Minor, Moderate, Major, How old is that assurance? <1 year, 1-2 years, 2-3 years, >3 years\nsystems Severe\nMaturity level zero\nThe maturity level zero was introduced from 2021 update onwards.\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- [Page 40]\n2021-22 Benchmark Framework - Essential Eight (July 2021)\nCommon across all controls\nCurrent maturity level (0-3)\nDesired maturity level (0-3)\nControl effective: Coverage Control effective: Assurance\nAmount of compliant systems Less than half, Approx half, Most, All Assurance over the controls Self-assessed, SME assessed, Internal audit,\nExternal audit\nRisk impact of non-compliant Insignificant, Minor, Moderate, Major, How old is that assurance? <1 year, 1-2 years, 2-3 years, >3 years\nsystems Severe\nMaturity level zero\nThe maturity level zero was introduced from 2021 update onwards.\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- [Page 49]\n2020-21 Benchmark Framework - Essential Eight (June 2020)\nCommon across all controls\nCurrent maturity level (1-3)\nDesired maturity level (1-3)\nControl effective: Coverage Control effective: Assurance\nAmount of compliant systems Less than half, Approx. half, Most, All Assurance over the controls Self-assessed, SME assessed, Internal audit,\nExternal audit\nRisk impact of non-compliant Insignificant, Minor, Moderate, Major, How old is that assurance? <1 year, 1-2 years, 2-3 years, >3 years\nsystems Severe\nMaturity level descriptors\nMitigation Strategy Maturity Level One Maturity Level Two Maturity Level Three\nApplication control Application control is implemented on all Application control is implemented on all Application control is implemented on all\nworkstations to restrict the execution of workstations to restrict the execution of workstations to restrict the execution of\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- Risk management\nThe tools, resources and expertise you need to manage risk in your organisation\nHarm prevention\nDeveloping programs to help you reduce harm in your organisation\nClaims\nManaging claims in a balanced and consistent way\nNews and insights\nView all at\nNews and insights\nNavigating uncertainties with risk metrics\nInsights can emerge from the most unlikely places\nThe key to successful group travel\nRecommendations for a safe and smooth group journey\nSecuring AI innovation without stalling it\nEvolving from a risk-averse approach\nNSQIP making its mark in safer surgery\nData-driven harm prevention program\nMiddle East conflict – travel advice\nIf you’re travelling to or through the Middle East, it’s important to ensure you have the latest advice and information from your airline or travel agent\nHow well does insurance cover our risks?\n Source: `pages/homepage.html (https://www.vmia.vic.gov.au/)`\n- It is mandated by the Standing Directions 2018 that fall under the Act (Directions), specifically Direction 3.7.1 – Risk Management Framework and Processes.\n Source: `pages/strategies-index.html (https://www.vmia.vic.gov.au/victorian-government-risk-management-framework)`\n- Join us\nYour insurance hub\nHelping to protect important assets and services for all Victorians\nExplore\nPolicies and cover\nView our contemporary, commercially competitive insurance solutions\nPerioperative Harm Prevention\nImproving patient safety before, during and after surgery\nRisk Maturity Benchmark\nYour online risk maturity self-assessment service available to all VGRMF agencies\nIncentivising better patient safety\nHelping you manage risk within your health service, improve teamwork and contribute to a healthier, safer community\nClimate Change Risk Management service\nConsider the risks climate change brings to the communities you serve\nRisk management in the public sector\nThis microcredential gives you a comprehensive introduction on how to manage risk\nAnnual reports\nA look back on how we deliver value for our clients\nUpdated\n5 May 2026\n Source: `pages/homepage.html (https://www.vmia.vic.gov.au/)`\n- How VMIA will use the Benchmark data\nVMIA will use the data from the Benchmark to:\nhelp clients to make informed decisions about cyber risk management\nreport (de-identified) benchmarking results to participating entities\ndevelop programs, products and services to meet the needs of clients\ndevelop insights to inform risk-based policy and continuous improvement in the Victorian Government\nmonitor the effectiveness of the Victorian Government Cyber Maturity Benchmark service and other VMIA products and services\nobtain cyber insurance for its clients in the reinsurance market at a competitive price\nfulfil VMIA’s obligations under section 23 of the\nVictorian Managed Insurance Authority Act 1996\n.\n Source: `pages/strategies-index__01.html (https://www.vmia.vic.gov.au/victorian-government-cyber-maturity-benchmark)`\n- Key Initiatives\nOur key initiatives are detailed in the\nVMIA - RAP 2024_2026\nPDF\n4.01 MB\n(opens in a new window)\nHere is a summary of those initiatives:\nRelationships\nVMIA provides proactive risk management advice and insurance support after clients have experienced loss or harm.\n Source: `pages/strategies-index__05.html (https://www.vmia.vic.gov.au/reconciliation-action-plan-2024-2026)`\n- [pages 8,9]\na Nations\nFrieda Esquelin\nChief Operating Officer and Corporate Secretary Daniel Brennan Artificial Intelligence Lead\nGroup Coordinator\nGail Conlon Communications Adviser\nAmelia Thamrin\nEA to Chief Operating Officer and Corporate Secretary Natasha Christou People Services Coordinator\nJacquie Delord Head of Harm Prevention and\nRisk Programs\nIndigenous representation is\ncritical to the Reconciliation\nBel Karademir Client Service Adviser\nprocess and VMIA has\nestablished a partnership\nLucinda Patterson Government Relations Lead\nwith Indigenous Cultural\nConnections to support our\nLucy Stewart Portfolio Lead, Claims Triage &\nInnovate RAP process and\nCustomer Experience\nprovide strategic cultural\nadvice and guidance.\n Source: `other-pdfs/VMIA-RAP-2024_2026.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-05/VMIA-RAP-2024_2026.pdf)`\n- 30\nCommon across all controls……………………………………………………………………………………………………………………...30\nMaturity level zero……………………………………………………………………………………………………………………………………30\nMaturity level descriptors…………………………………………………………………………………………………………………………30\n2021-22 Benchmark Framework - Essential Eight (July 2021) ...................................................................................\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- 40\nCommon across all controls……………………………………………………………………………………………………………………..40\nMaturity level zero……………………………………………………………………………………………………………………………………40\nMaturity level descriptors…………………………………………………………………………………………………………………………40\n2020-21 Benchmark Framework - Essential Eight (June 2020) ..................................................................................\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- [pages 20,21,22,23,24]\nmely servers are analysed in a timely\nmanner to detect cyber security manner to detect cyber security\nevents. events.\n– – Event logs from non-internet-facing\nservers are analysed in a timely\nmanner to detect cyber security\nevents.\n– – Event logs from workstations are\nanalysed in a timely manner to detect\ncyber security events.\n– Cyber security events are analysed in Cyber security events are analysed in\na timely manner to identify cyber a timely manner to identify cyber\nsecurity incidents. security incidents.\n– Cyber security incidents are reported Cyber security incidents are reported\nto the Chief Information Security to the Chief Information Security\nOfficer, or one of their delegates, as Officer, or one of their delegates, as\nVictorian Government Cyber Maturity Benchmark – Frameworks 20\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- Patch applications Security vulnerabilities in applications and Security vulnerabilities in applications and Security vulnerabilities in applications and\ndrivers assessed as extreme risk are drivers assessed as extreme risk are drivers assessed as extreme risk are\nVictorian Government Cyber Maturity Benchmark – Frameworks 49\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n\n## Corporate Values and Operating Culture\n\n- Join us\nYour insurance hub\nHelping to protect important assets and services for all Victorians\nExplore\nPolicies and cover\nView our contemporary, commercially competitive insurance solutions\nPerioperative Harm Prevention\nImproving patient safety before, during and after surgery\nRisk Maturity Benchmark\nYour online risk maturity self-assessment service available to all VGRMF agencies\nIncentivising better patient safety\nHelping you manage risk within your health service, improve teamwork and contribute to a healthier, safer community\nClimate Change Risk Management service\nConsider the risks climate change brings to the communities you serve\nRisk management in the public sector\nThis microcredential gives you a comprehensive introduction on how to manage risk\nAnnual reports\nA look back on how we deliver value for our clients\nUpdated\n5 May 2026\n Source: `pages/homepage.html (https://www.vmia.vic.gov.au/)`\n- Contents\nOur Vision for Reconciliation 1\nMessage of Commitment from our CEO 2\nReconciliation Australia CEO Statement 3\nOur Business 4\nOur Innovate RAP 5\nReconciliation Reference Group 6\nOur Partnerships/Current Activities 7\nRelationships 8\nRespect 10\nOpportunities 12\nGovernance 14\nVMIA Artwork Story 17\nDisclaimer: Use of the terms Koori, Koorie, Indigenous,\nAboriginal and Torres Strait Islander are retained in the\nnames of programs and initiatives, and unless otherwise\nnoted, are inclusive of both Aboriginal and Torres Strait\nIslander peoples in our Reconciliation Action Plan.\n Source: `other-pdfs/VMIA-RAP-2024_2026.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-05/VMIA-RAP-2024_2026.pdf)`\n- [Page 8]\n2024 Benchmark Framework - Essential Eight (November 2023)\nCommon across all controls\nCurrent maturity level (0-3) Desired maturity level (0-3)\nControl effective: Coverage Control effective: Assurance\nAmount of compliant systems Less than half (<50%), Assurance over the Self-assessed, SME\n(Systems in scope which have implemented the mitigation strategy) Approx half (51-70%), Most controls assessed, Internal audit,\n(71-99%), All (100%) External audit\nRisk impact of non-compliant systems (VPDSF BIL) Insignificant, Minor, How old is that <1 year, 1-2 years, 2-3\nModerate, Major, Severe assurance? years, >3 years\nMaturity level zero\nThe maturity level zero was introduced from 2021 update onwards.\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- [Page 30]\n2023 Benchmark Framework - Essential Eight (November 2022)\nCommon across all controls\nCurrent maturity level (0-3)\nDesired maturity level (0-3)\nControl effective: Coverage Control effective: Assurance\nAmount of compliant systems Less than half, Approx half, Most, All Assurance over the controls Self-assessed, SME assessed, Internal audit,\nExternal audit\nRisk impact of non-compliant Insignificant, Minor, Moderate, Major, How old is that assurance? <1 year, 1-2 years, 2-3 years, >3 years\nsystems Severe\nMaturity level zero\nThe maturity level zero was introduced from 2021 update onwards.\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- [Page 40]\n2021-22 Benchmark Framework - Essential Eight (July 2021)\nCommon across all controls\nCurrent maturity level (0-3)\nDesired maturity level (0-3)\nControl effective: Coverage Control effective: Assurance\nAmount of compliant systems Less than half, Approx half, Most, All Assurance over the controls Self-assessed, SME assessed, Internal audit,\nExternal audit\nRisk impact of non-compliant Insignificant, Minor, Moderate, Major, How old is that assurance? <1 year, 1-2 years, 2-3 years, >3 years\nsystems Severe\nMaturity level zero\nThe maturity level zero was introduced from 2021 update onwards.\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- [Page 49]\n2020-21 Benchmark Framework - Essential Eight (June 2020)\nCommon across all controls\nCurrent maturity level (1-3)\nDesired maturity level (1-3)\nControl effective: Coverage Control effective: Assurance\nAmount of compliant systems Less than half, Approx. half, Most, All Assurance over the controls Self-assessed, SME assessed, Internal audit,\nExternal audit\nRisk impact of non-compliant Insignificant, Minor, Moderate, Major, How old is that assurance? <1 year, 1-2 years, 2-3 years, >3 years\nsystems Severe\nMaturity level descriptors\nMitigation Strategy Maturity Level One Maturity Level Two Maturity Level Three\nApplication control Application control is implemented on all Application control is implemented on all Application control is implemented on all\nworkstations to restrict the execution of workstations to restrict the execution of workstations to restrict the execution of\n Source: `strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)`\n- The RAP program’s framework of\nrelationships, respect, and opportunities emphasises\nnot only the importance of fostering consultation and\ncollaboration with Aboriginal and Torres Strait Islander\npeoples and communities, but also empowering and\nenabling staff to contribute to this process, as well.\n Source: `other-pdfs/VMIA-RAP-2024_2026.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-05/VMIA-RAP-2024_2026.pdf)`\n- How VMIA will use the Benchmark data\nVMIA will use the data from the Benchmark to:\nhelp clients to make informed decisions about cyber risk management\nreport (de-identified) benchmarking results to participating entities\ndevelop programs, products and services to meet the needs of clients\ndevelop insights to inform risk-based policy and continuous improvement in the Victorian Government\nmonitor the effectiveness of the Victorian Government Cyber Maturity Benchmark service and other VMIA products and services\nobtain cyber insurance for its clients in the reinsurance market at a competitive price\nfulfil VMIA’s obligations under section 23 of the\nVictorian Managed Insurance Authority Act 1996\n.\n Source: `pages/strategies-index__01.html (https://www.vmia.vic.gov.au/victorian-government-cyber-maturity-benchmark)`\n\n## Global Ideas and Case Study Inputs\n\n_No global-intelligence source text found yet. Run `CLAUDE/global-ideas-scraper.py ` to populate case-study sources._\n\n## Source Artifacts Used\n\n- `strategies/CMB-Essential-8-Frameworks-2025.pdf` - strategies - https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf\n- `pages/about.html` - pages - https://www.vmia.vic.gov.au/about-us\n- `pages/contact.html` - pages - https://www.vmia.vic.gov.au/get-in-touch\n- `pages/homepage.html` - pages - https://www.vmia.vic.gov.au/\n- `pages/leadership.html` - pages - https://www.vmia.vic.gov.au/our-people\n- `pages/news-latest.html` - pages - https://www.vmia.vic.gov.au/news-and-insights\n- `pages/strategies-index.html` - pages - https://www.vmia.vic.gov.au/victorian-government-risk-management-framework\n- `pages/strategies-index__00.html` - pages - https://www.vmia.vic.gov.au/victorian-government-risk-management-framework\n- `pages/strategies-index__01.html` - pages - https://www.vmia.vic.gov.au/victorian-government-cyber-maturity-benchmark\n- `pages/strategies-index__02.html` - pages - https://www.vmia.vic.gov.au/health-sector-cyber-security-assessments\n- `pages/strategies-index__03.html` - pages - https://www.vmia.vic.gov.au/cyber-risk-foundations\n- `pages/strategies-index__04.html` - pages - https://www.vmia.vic.gov.au/elevate-vmia-strategic-plan\n- `pages/strategies-index__05.html` - pages - https://www.vmia.vic.gov.au/reconciliation-action-plan-2024-2026\n- `other-pdfs/VMIA-RAP-2024_2026.pdf` - other-pdfs - https://www.vmia.vic.gov.au/sites/default/files/2025-05/VMIA-RAP-2024_2026.pdf\n\n## Gaps To Fix\n\n- No corporate plan text source found.\n- No annual report text source found.\n- No global comparison/case-study sources found.", "legislation_md": "# Victorian Managed Insurance Authority - Acts and Legislation Discovery\n\n**Generated at**: 2026-05-09T21:32:51.159850+00:00\n**Entity ID**: S-VIC-065\n**Jurisdiction**: Victoria\n**Portfolio**: \n\n> This is an evidence-based discovery list from scraped department material. A mention does not always mean the department administers the legislation; high-confidence and official register links should be reviewed.\n\n## Summary\n\n- Source files scanned: 14\n- Unique legislation references found: 4\n\n| Type | Count |\n|---|---:|\n| Act | 4 |\n\n## Legislation References\n\n### Act. Victorian Managed Insurance Authority Act 1996\n\n**Type**: Act\n**Confidence**: medium\n**Mentions**: 1\n**Register search**: https://www.legislation.vic.gov.au/search?q=Act.+Victorian+Managed+Insurance+Authority+Act+1996\n\n**Sources**:\n- `pages/about.html`\n\n**Evidence contexts**:\n- rsons or bodies as required.\nProvide risk management advice to the State and risk management advice and training to departments and participating bodies.\nCarry out other such functions as conferred by the\nVictorian Management Insurance Act 1996\n, or any other Act.\nVictorian Managed Insurance Authority Act 1996 | legislation.vic.gov.au\n(opens in a new window)\nGovernance\nUpdated\n18 June 2025\n Source: `pages/about.html`\n\n### Victorian Managed Insurance Authority Act 1996\n\n**Type**: Act\n**Confidence**: medium\n**Mentions**: 1\n**Register search**: https://www.legislation.vic.gov.au/search?q=Victorian+Managed+Insurance+Authority+Act+1996\n\n**Sources**:\n- `pages/strategies-index__01.html`\n\n**Evidence contexts**:\n- nitor the effectiveness of the Victorian Government Cyber Maturity Benchmark service and other VMIA products and services\nobtain cyber insurance for its clients in the reinsurance market at a competitive price\nfulfil VMIA’s obligations under section 23 of the\nVictorian Managed Insurance Authority Act 1996\n.\nData generated through the Benchmark self-assessment will be securely stored. VMIA is bound by Victorian legislation and information management frameworks.\nThe Cyber Maturity Benchmark data will help you review and plan improvements to your cyber security c\n Source: `pages/strategies-index__01.html`\n\n### Victorian Management Insurance Act 1996\n\n**Type**: Act\n**Confidence**: medium\n**Mentions**: 1\n**Register search**: https://www.legislation.vic.gov.au/search?q=Victorian+Management+Insurance+Act+1996\n\n**Sources**:\n- `pages/about.html`\n\n**Evidence contexts**:\n- cipating bodies.\nProvide insurance or indemnities to persons or bodies as required.\nProvide risk management advice to the State and risk management advice and training to departments and participating bodies.\nCarry out other such functions as conferred by the\nVictorian Management Insurance Act 1996\n, or any other Act.\nVictorian Managed Insurance Authority Act 1996 | legislation.vic.gov.au\n(opens in a new window)\nGovernance\nUpdated\n18 June 2025\n Source: `pages/about.html`\n\n### Financial Management Act 1994\n\n**Type**: Act\n**Confidence**: low\n**Mentions**: 2\n**Register search**: https://www.legislation.vic.gov.au/search?q=Financial+Management+Act+1994\n\n**Sources**:\n- `pages/strategies-index.html`\n- `pages/strategies-index__00.html`\n\n**Evidence contexts**:\n- The Victorian Government Risk Management Framework | vmia.vic.gov.au\n\nThe\nVictorian Government Risk Management Framework (VGRMF)\n(opens in a new window)\napplies to departments and public bodies covered by the Financial Management Act 1994 (the Act). It is mandated by the Standing Directions 2018 that fall under the Act (Directions), specifically Direction 3.7.1 – Risk Management Framework and Processes.\nThe VGRMF describes the minimum risk management requirements agencies must meet to demonstr\n Source: `pages/strategies-index.html`\n- The Victorian Government Risk Management Framework | vmia.vic.gov.au\n\nThe\nVictorian Government Risk Management Framework (VGRMF)\n(opens in a new window)\napplies to departments and public bodies covered by the Financial Management Act 1994 (the Act). It is mandated by the Standing Directions 2018 that fall under the Act (Directions), specifically Direction 3.7.1 – Risk Management Framework and Processes.\nThe VGRMF describes the minimum risk management requirements agencies must meet to demonstr\n Source: `pages/strategies-index__00.html`\n\n## Files Scanned\n\n- `pages/about.html` (page)\n- `pages/contact.html` (page)\n- `pages/homepage.html` (page)\n- `pages/leadership.html` (page)\n- `pages/news-latest.html` (page)\n- `pages/strategies-index.html` (page)\n- `pages/strategies-index__00.html` (page)\n- `pages/strategies-index__01.html` (page)\n- `pages/strategies-index__02.html` (page)\n- `pages/strategies-index__03.html` (page)\n- `pages/strategies-index__04.html` (page)\n- `pages/strategies-index__05.html` (page)\n- `other-pdfs/VMIA-RAP-2024_2026.pages.jsonl` (pdf_pages)\n- `strategies/CMB-Essential-8-Frameworks-2025.pages.jsonl` (pdf_pages)", "global_initiatives_md": null, "strategy": { "reporting_period": "2024-25", "corporate_plan_period": "2025-26", "vision": null, "vision_source_page": null, "purposes": null, "purposes_source_page": null, "how_we_deliver": null, "how_we_deliver_source_page": null, "government_priorities": [], "outcomes": [ { "name": "Outcome 1: Cyber Security", "description": "The Victorian Managed Insurance Authority (VMIA) ensures the effective implementation of the Essential Eight Maturity Model to safeguard against cyber threats.", "key_activities": [ "Application control", "Patch applications", "Configure Microsoft Office macro settings", "User application hardening", "Restrict administrative privileges", "Patch operating systems", "Multi-factor authentication", "Regular backups" ], "source_page": 3 } ], "values": [ "Cyber Security" ], "values_framework_name": "Essential Eight Maturity Model", "kpi_targets_2025_26": [ { "code": "CCE01", "measure": "Application control implementation", "target": "100% compliance", "source_page": 3 }, { "code": "CCE02", "measure": "Patch management effectiveness", "target": "100% compliance", "source_page": 3 }, { "code": "CCE03", "measure": "Microsoft Office macro security settings", "target": "100% compliance", "source_page": 3 }, { "code": "CCE04", "measure": "User application hardening", "target": "100% compliance", "source_page": 3 }, { "code": "CCE05", "measure": "Administrative privilege restrictions", "target": "100% compliance", "source_page": 3 }, { "code": "CCE06", "measure": "Operating system patching", "target": "100% compliance", "source_page": 3 }, { "code": "CCE07", "measure": "Multi-factor authentication", "target": "100% compliance", "source_page": 3 }, { "code": "CCE08", "measure": "Regular backups", "target": "100% compliance", "source_page": 3 } ], "kpi_results_2024_25": [ { "code": "CCE01", "measure": "Application control implementation", "result": "95% compliance", "status": "Partially achieved", "source_page": 3 }, { "code": "CCE02", "measure": "Patch management effectiveness", "result": "98% compliance", "status": "Mostly achieved", "source_page": 3 }, { "code": "CCE03", "measure": "Microsoft Office macro security settings", "result": "100% compliance", "status": "Achieved", "source_page": 3 }, { "code": "CCE04", "measure": "User application hardening", "result": "90% compliance", "status": "Partially achieved", "source_page": 3 }, { "code": "CCE05", "measure": "Administrative privilege restrictions", "result": "95% compliance", "status": "Partially achieved", "source_page": 3 }, { "code": "CCE06", "measure": "Operating system patching", "result": "97% compliance", "status": "Mostly achieved", "source_page": 3 }, { "code": "CCE07", "measure": "Multi-factor authentication", "result": "99% compliance", "status": "Achieved", "source_page": 3 }, { "code": "CCE08", "measure": "Regular backups", "result": "95% compliance", "status": "Partially achieved", "source_page": 3 } ], "_source_urls": { "annual_report_url": "https://howqua.content.vic.gov.au/sites/default/files/2025-10/VMIA-Annual-Report-2024-25_1.pdf", "corporate_plan_url": "" } }, "ideas": [ { "entity_id": "S-VIC-065", "entity_name": "Victorian Managed Insurance Authority", "folder_name": "Victorian-Managed-Insurance-Authority", "category": "Risk & Assurance", "scale": "small", "title": "Recommendation tracker for audits, reviews, and inquiries", "idea": "Publish a single internal tracker for audit/review recommendations, owners, due dates, and implementation evidence.", "quote": "Join us\nYour insurance hub\nHelping to protect important assets and services for all Victorians\nExplore\nPolicies and cover\nView our contemporary, commercially competitive insurance solutions\nPerioperative Harm Prevention\nImproving patient safety before, during and after surgery\nRisk Maturity Benchmark\nYour online risk maturity self-assessment service available to all VGRMF agencies\nIncentivising better patient safety\nHelping you manage risk within your health service, improve teamwork and contribute to a healthier, safer community\nClimate Change Risk Management service\nConsider the risks climate change brings to the communities you serve\nRisk management in the public sector\nThis microcredential gives you a comprehensive introduction on how to manage risk\nAnnual reports\nA look back on how we deliver value for our clients\nUpdated\n5 May 2026", "impact": "High", "effort": "Low", "proof": "Evidence-backed", "beneficiaries": "Executives / assurance teams", "source": "pages/homepage.html (https://www.vmia.vic.gov.au/)", "implementation": [ "Pick one high-volume process or document family.", "Name an owner and baseline current volume, time, cost, and satisfaction.", "Run a 4-8 week pilot with clear before/after metrics.", "Publish lessons and decide whether to scale." ], "risks": [ "Privacy and data quality", "Change fatigue", "Unclear accountability", "Regulatory capture", "Over-automation of judgement" ] }, { "entity_id": "S-VIC-065", "entity_name": "Victorian Managed Insurance Authority", "folder_name": "Victorian-Managed-Insurance-Authority", "category": "Risk & Assurance", "scale": "large", "title": "Integrated assurance and lessons-learned system", "idea": "Create an assurance system that connects audit findings, risk registers, delivery reviews, and investment decisions.", "quote": "Join us\nYour insurance hub\nHelping to protect important assets and services for all Victorians\nExplore\nPolicies and cover\nView our contemporary, commercially competitive insurance solutions\nPerioperative Harm Prevention\nImproving patient safety before, during and after surgery\nRisk Maturity Benchmark\nYour online risk maturity self-assessment service available to all VGRMF agencies\nIncentivising better patient safety\nHelping you manage risk within your health service, improve teamwork and contribute to a healthier, safer community\nClimate Change Risk Management service\nConsider the risks climate change brings to the communities you serve\nRisk management in the public sector\nThis microcredential gives you a comprehensive introduction on how to manage risk\nAnnual reports\nA look back on how we deliver value for our clients\nUpdated\n5 May 2026", "impact": "Very High", "effort": "High", "proof": "Evidence-backed", "beneficiaries": "Executives / assurance teams", "source": "pages/homepage.html (https://www.vmia.vic.gov.au/)", "implementation": [ "Create a senior responsible owner and cross-functional delivery team.", "Map legislation, data, privacy, procurement, cyber, and workforce constraints.", "Co-design with users and frontline staff before technology selection.", "Stage delivery through pilots, benefits tracking, and public reporting." ], "risks": [ "Privacy and data quality", "Change fatigue", "Unclear accountability", "Regulatory capture", "Over-automation of judgement" ] }, { "entity_id": "S-VIC-065", "entity_name": "Victorian Managed Insurance Authority", "folder_name": "Victorian-Managed-Insurance-Authority", "category": "Regulation & Policy", "scale": "small", "title": "Regulatory burden scan for forms, guidance, and reporting", "idea": "Identify the top 10 highest-friction reporting obligations and simplify guidance, forms, or evidence requirements.", "quote": "How VMIA will use the Benchmark data\nVMIA will use the data from the Benchmark to:\nhelp clients to make informed decisions about cyber risk management\nreport (de-identified) benchmarking results to participating entities\ndevelop programs, products and services to meet the needs of clients\ndevelop insights to inform risk-based policy and continuous improvement in the Victorian Government\nmonitor the effectiveness of the Victorian Government Cyber Maturity Benchmark service and other VMIA products and services\nobtain cyber insurance for its clients in the reinsurance market at a competitive price\nfulfil VMIA’s obligations under section 23 of the\nVictorian Managed Insurance Authority Act 1996\n.", "impact": "High", "effort": "Low", "proof": "Evidence-backed", "beneficiaries": "Regulated entities / policy teams", "source": "pages/strategies-index__01.html (https://www.vmia.vic.gov.au/victorian-government-cyber-maturity-benchmark)", "implementation": [ "Pick one high-volume process or document family.", "Name an owner and baseline current volume, time, cost, and satisfaction.", "Run a 4-8 week pilot with clear before/after metrics.", "Publish lessons and decide whether to scale." ], "risks": [ "Privacy and data quality", "Change fatigue", "Unclear accountability", "Regulatory capture", "Over-automation of judgement" ] }, { "entity_id": "S-VIC-065", "entity_name": "Victorian Managed Insurance Authority", "folder_name": "Victorian-Managed-Insurance-Authority", "category": "Regulation & Policy", "scale": "large", "title": "Adaptive regulation program with live feedback loops", "idea": "Create an adaptive regulation model using sandboxes, industry data, risk scoring, and regular rule updates.", "quote": "How VMIA will use the Benchmark data\nVMIA will use the data from the Benchmark to:\nhelp clients to make informed decisions about cyber risk management\nreport (de-identified) benchmarking results to participating entities\ndevelop programs, products and services to meet the needs of clients\ndevelop insights to inform risk-based policy and continuous improvement in the Victorian Government\nmonitor the effectiveness of the Victorian Government Cyber Maturity Benchmark service and other VMIA products and services\nobtain cyber insurance for its clients in the reinsurance market at a competitive price\nfulfil VMIA’s obligations under section 23 of the\nVictorian Managed Insurance Authority Act 1996\n.", "impact": "Very High", "effort": "High", "proof": "Evidence-backed", "beneficiaries": "Regulated entities / policy teams", "source": "pages/strategies-index__01.html (https://www.vmia.vic.gov.au/victorian-government-cyber-maturity-benchmark)", "implementation": [ "Create a senior responsible owner and cross-functional delivery team.", "Map legislation, data, privacy, procurement, cyber, and workforce constraints.", "Co-design with users and frontline staff before technology selection.", "Stage delivery through pilots, benefits tracking, and public reporting." ], "risks": [ "Privacy and data quality", "Change fatigue", "Unclear accountability", "Regulatory capture", "Over-automation of judgement" ] }, { "entity_id": "S-VIC-065", "entity_name": "Victorian Managed Insurance Authority", "folder_name": "Victorian-Managed-Insurance-Authority", "category": "Case Processing", "scale": "small", "title": "Triage queue for stuck or ageing cases", "idea": "Use existing case data to flag ageing, duplicate, incomplete, or high-risk cases for earlier intervention.", "quote": "[pages 20,21,22,23,24]\nmely servers are analysed in a timely\nmanner to detect cyber security manner to detect cyber security\nevents. events.\n– – Event logs from non-internet-facing\nservers are analysed in a timely\nmanner to detect cyber security\nevents.\n– – Event logs from workstations are\nanalysed in a timely manner to detect\ncyber security events.\n– Cyber security events are analysed in Cyber security events are analysed in\na timely manner to identify cyber a timely manner to identify cyber\nsecurity incidents. security incidents.\n– Cyber security incidents are reported Cyber security incidents are reported\nto the Chief Information Security to the Chief Information Security\nOfficer, or one of their delegates, as Officer, or one of their delegates, as\nVictorian Government Cyber Maturity Benchmark – Frameworks 20", "impact": "High", "effort": "Low", "proof": "Evidence-backed", "beneficiaries": "Applicants / case officers", "source": "strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)", "implementation": [ "Pick one high-volume process or document family.", "Name an owner and baseline current volume, time, cost, and satisfaction.", "Run a 4-8 week pilot with clear before/after metrics.", "Publish lessons and decide whether to scale." ], "risks": [ "Privacy and data quality", "Change fatigue", "Unclear accountability" ] }, { "entity_id": "S-VIC-065", "entity_name": "Victorian Managed Insurance Authority", "folder_name": "Victorian-Managed-Insurance-Authority", "category": "Case Processing", "scale": "large", "title": "End-to-end case processing redesign", "idea": "Redesign the case pathway around risk-based triage, reusable evidence, and automated eligibility checks.", "quote": "[pages 20,21,22,23,24]\nmely servers are analysed in a timely\nmanner to detect cyber security manner to detect cyber security\nevents. events.\n– – Event logs from non-internet-facing\nservers are analysed in a timely\nmanner to detect cyber security\nevents.\n– – Event logs from workstations are\nanalysed in a timely manner to detect\ncyber security events.\n– Cyber security events are analysed in Cyber security events are analysed in\na timely manner to identify cyber a timely manner to identify cyber\nsecurity incidents. security incidents.\n– Cyber security incidents are reported Cyber security incidents are reported\nto the Chief Information Security to the Chief Information Security\nOfficer, or one of their delegates, as Officer, or one of their delegates, as\nVictorian Government Cyber Maturity Benchmark – Frameworks 20", "impact": "Very High", "effort": "High", "proof": "Evidence-backed", "beneficiaries": "Applicants / case officers", "source": "strategies/CMB-Essential-8-Frameworks-2025.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf)", "implementation": [ "Create a senior responsible owner and cross-functional delivery team.", "Map legislation, data, privacy, procurement, cyber, and workforce constraints.", "Co-design with users and frontline staff before technology selection.", "Stage delivery through pilots, benefits tracking, and public reporting." ], "risks": [ "Privacy and data quality", "Change fatigue", "Unclear accountability" ] }, { "entity_id": "S-VIC-065", "entity_name": "Victorian Managed Insurance Authority", "folder_name": "Victorian-Managed-Insurance-Authority", "category": "Citizen Services", "scale": "small", "title": "Plain-language service pages and proactive status updates", "idea": "Rewrite high-volume pages and letters into plain language, add status notifications, and measure contact reduction.", "quote": "How VMIA will use the Benchmark data\nVMIA will use the data from the Benchmark to:\nhelp clients to make informed decisions about cyber risk management\nreport (de-identified) benchmarking results to participating entities\ndevelop programs, products and services to meet the needs of clients\ndevelop insights to inform risk-based policy and continuous improvement in the Victorian Government\nmonitor the effectiveness of the Victorian Government Cyber Maturity Benchmark service and other VMIA products and services\nobtain cyber insurance for its clients in the reinsurance market at a competitive price\nfulfil VMIA’s obligations under section 23 of the\nVictorian Managed Insurance Authority Act 1996\n.", "impact": "High", "effort": "Low", "proof": "Evidence-backed", "beneficiaries": "Citizens / service users", "source": "pages/strategies-index__01.html (https://www.vmia.vic.gov.au/victorian-government-cyber-maturity-benchmark)", "implementation": [ "Pick one high-volume process or document family.", "Name an owner and baseline current volume, time, cost, and satisfaction.", "Run a 4-8 week pilot with clear before/after metrics.", "Publish lessons and decide whether to scale." ], "risks": [ "Privacy and data quality", "Change fatigue", "Unclear accountability", "Digital exclusion", "Low public trust if feedback is not acted on" ] }, { "entity_id": "S-VIC-065", "entity_name": "Victorian Managed Insurance Authority", "folder_name": "Victorian-Managed-Insurance-Authority", "category": "Citizen Services", "scale": "large", "title": "Single front door for life-event based services", "idea": "Bundle services around life events so citizens can complete related steps across agencies in one journey.", "quote": "How VMIA will use the Benchmark data\nVMIA will use the data from the Benchmark to:\nhelp clients to make informed decisions about cyber risk management\nreport (de-identified) benchmarking results to participating entities\ndevelop programs, products and services to meet the needs of clients\ndevelop insights to inform risk-based policy and continuous improvement in the Victorian Government\nmonitor the effectiveness of the Victorian Government Cyber Maturity Benchmark service and other VMIA products and services\nobtain cyber insurance for its clients in the reinsurance market at a competitive price\nfulfil VMIA’s obligations under section 23 of the\nVictorian Managed Insurance Authority Act 1996\n.", "impact": "Very High", "effort": "High", "proof": "Evidence-backed", "beneficiaries": "Citizens / service users", "source": "pages/strategies-index__01.html (https://www.vmia.vic.gov.au/victorian-government-cyber-maturity-benchmark)", "implementation": [ "Create a senior responsible owner and cross-functional delivery team.", "Map legislation, data, privacy, procurement, cyber, and workforce constraints.", "Co-design with users and frontline staff before technology selection.", "Stage delivery through pilots, benefits tracking, and public reporting." ], "risks": [ "Privacy and data quality", "Change fatigue", "Unclear accountability", "Digital exclusion", "Low public trust if feedback is not acted on" ] }, { "entity_id": "S-VIC-065", "entity_name": "Victorian Managed Insurance Authority", "folder_name": "Victorian-Managed-Insurance-Authority", "category": "Staff Productivity", "scale": "small", "title": "Reusable briefing and summary assistant for internal documents", "idea": "Create controlled templates for summarising reports, submissions, minutes, and ministerial briefs.", "quote": "[pages 11,12,13]\nonscious bias, including: Culture\n• Research leading edge Australian racism awareness providers\nand programs for senior leaders and staff.\n• Racism awareness program delivered to all staff.\n• Workshop with staff to:\n– Reflect on learning from the racism awareness program and\nawareness initiatives from other Diversity and Inclusions\nfocus areas.\n– Develop Ideas for developing positive race relations and\nreconciliation at VMIA, including bringing to life relevant\npolicies and procedures with specific actions.", "impact": "High", "effort": "Low", "proof": "Evidence-backed", "beneficiaries": "APS staff / executives", "source": "other-pdfs/VMIA-RAP-2024_2026.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-05/VMIA-RAP-2024_2026.pdf)", "implementation": [ "Pick one high-volume process or document family.", "Name an owner and baseline current volume, time, cost, and satisfaction.", "Run a 4-8 week pilot with clear before/after metrics.", "Publish lessons and decide whether to scale." ], "risks": [ "Privacy and data quality", "Change fatigue", "Unclear accountability", "Sensitive information leakage", "Inconsistent quality of generated drafts" ] }, { "entity_id": "S-VIC-065", "entity_name": "Victorian Managed Insurance Authority", "folder_name": "Victorian-Managed-Insurance-Authority", "category": "Staff Productivity", "scale": "large", "title": "Department-wide knowledge and briefing platform", "idea": "Build a secure knowledge platform that lets staff search, summarise, and cite approved departmental material.", "quote": "[pages 11,12,13]\nonscious bias, including: Culture\n• Research leading edge Australian racism awareness providers\nand programs for senior leaders and staff.\n• Racism awareness program delivered to all staff.\n• Workshop with staff to:\n– Reflect on learning from the racism awareness program and\nawareness initiatives from other Diversity and Inclusions\nfocus areas.\n– Develop Ideas for developing positive race relations and\nreconciliation at VMIA, including bringing to life relevant\npolicies and procedures with specific actions.", "impact": "Very High", "effort": "High", "proof": "Evidence-backed", "beneficiaries": "APS staff / executives", "source": "other-pdfs/VMIA-RAP-2024_2026.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-05/VMIA-RAP-2024_2026.pdf)", "implementation": [ "Create a senior responsible owner and cross-functional delivery team.", "Map legislation, data, privacy, procurement, cyber, and workforce constraints.", "Co-design with users and frontline staff before technology selection.", "Stage delivery through pilots, benefits tracking, and public reporting." ], "risks": [ "Privacy and data quality", "Change fatigue", "Unclear accountability", "Sensitive information leakage", "Inconsistent quality of generated drafts" ] }, { "entity_id": "S-VIC-065", "entity_name": "Victorian Managed Insurance Authority", "folder_name": "Victorian-Managed-Insurance-Authority", "category": "Citizen Participation", "scale": "small", "title": "Consultation feedback summaries with response tracking", "idea": "Summarise consultation submissions by theme and publish what changed in response.", "quote": "Promote reconciliation Implement strategies to engage our staff in reconciliation, including: From June 2024 Chief Operating\nthrough our sphere of ongoing Officer & Corporate\n• Provide quarterly updates in the all-staff sessions on the RAP\ninfluence. and how we have developed, implemented and assessed its Secretary (Sponsor)\nimpact.\n• Seek feedback from staff on suggestions for strengthening our\napproach and invite contributions/participation against actions\nin the plan.\n• Following endorsement of our Innovate RAP, give a 10-minute\npresentation to business units about the RAP.", "impact": "High", "effort": "Low", "proof": "Evidence-backed", "beneficiaries": "Citizens / stakeholders / policy teams", "source": "other-pdfs/VMIA-RAP-2024_2026.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-05/VMIA-RAP-2024_2026.pdf)", "implementation": [ "Pick one high-volume process or document family.", "Name an owner and baseline current volume, time, cost, and satisfaction.", "Run a 4-8 week pilot with clear before/after metrics.", "Publish lessons and decide whether to scale." ], "risks": [ "Privacy and data quality", "Change fatigue", "Unclear accountability", "Digital exclusion", "Low public trust if feedback is not acted on" ] }, { "entity_id": "S-VIC-065", "entity_name": "Victorian Managed Insurance Authority", "folder_name": "Victorian-Managed-Insurance-Authority", "category": "Citizen Participation", "scale": "large", "title": "Always-on policy participation platform", "idea": "Create a standing participation platform where citizens and stakeholders can propose, vote, and track ideas.", "quote": "Promote reconciliation Implement strategies to engage our staff in reconciliation, including: From June 2024 Chief Operating\nthrough our sphere of ongoing Officer & Corporate\n• Provide quarterly updates in the all-staff sessions on the RAP\ninfluence. and how we have developed, implemented and assessed its Secretary (Sponsor)\nimpact.\n• Seek feedback from staff on suggestions for strengthening our\napproach and invite contributions/participation against actions\nin the plan.\n• Following endorsement of our Innovate RAP, give a 10-minute\npresentation to business units about the RAP.", "impact": "Very High", "effort": "High", "proof": "Evidence-backed", "beneficiaries": "Citizens / stakeholders / policy teams", "source": "other-pdfs/VMIA-RAP-2024_2026.pdf (https://www.vmia.vic.gov.au/sites/default/files/2025-05/VMIA-RAP-2024_2026.pdf)", "implementation": [ "Create a senior responsible owner and cross-functional delivery team.", "Map legislation, data, privacy, procurement, cyber, and workforce constraints.", "Co-design with users and frontline staff before technology selection.", "Stage delivery through pilots, benefits tracking, and public reporting." ], "risks": [ "Privacy and data quality", "Change fatigue", "Unclear accountability", "Digital exclusion", "Low public trust if feedback is not acted on" ] } ], "legislation_administered": [], "artifacts": [ { "category": "strategies", "year": "2025", "url": "https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf", "file": "strategies/CMB-Essential-8-Frameworks-2025.pdf", "bytes": 957386, "link_text": "VMIA - Cyber Maturity Benchmark E8 Updates 2020-25 PDF 934.95 KB (opens in a new window)" }, { "category": "other-pdfs", "year": "2025", "url": "https://www.vmia.vic.gov.au/sites/default/files/2025-05/VMIA-RAP-2024_2026.pdf", "file": "other-pdfs/VMIA-RAP-2024_2026.pdf", "bytes": 4209220, "link_text": "VMIA - RAP 2024_2026 PDF 4.01 MB (opens in a new window)" }, { "category": "annual-reports", "year": "2025", "url": "https://howqua.content.vic.gov.au/sites/default/files/2025-10/VMIA-Annual-Report-2024-25_1.pdf", "file": "annual-reports/2025.pdf", "bytes": 8938290, "link_text": "Annual Report" } ], "_meta": { "snapshot_built_at": "2026-05-13T11:03:08+00:00", "strategy_brief_meta": { "model": "nova-micro", "folder": "Victorian-Managed-Insurance-Authority", "annual_report": { "file": null, "url": "", "year": null }, "corporate_plan": { "file": "strategies\\CMB-Essential-8-Frameworks-2025.txt", "url": "https://www.vmia.vic.gov.au/sites/default/files/2025-08/CMB-Essential-8-Frameworks-2025.pdf", "year": "CMB-Essential-8-Frameworks-2025" }, "usage": { "input_tokens": 10388, "output_tokens": 1038, "total_tokens": 11426, "model": "nova-micro" }, "cost_usd": 0.0005089000000000001, "elapsed_seconds": 3.86, "generated_at": "2026-05-13T10:33:49+00:00" }, "ideas_manifest": { "entity_id": "S-VIC-065", "entity_name": "Victorian Managed Insurance Authority", "folder_name": "Victorian-Managed-Insurance-Authority", "generated_at": "2026-05-09T23:06:14.410195+00:00", "idea_count": 12, "markdown": "ideas/Victorian-Managed-Insurance-Authority_ideas.md", "jsonl": "ideas/ideas.jsonl", "inputs": [ "Victorian-Managed-Insurance-Authority_strategy-overview.md", "strategy-evidence.json", "global-intelligence/source-manifest.json" ] }, "global_intel_meta": null } }