Policy Management as a Service Implementation

About City of Darebin

City of Darebin is the local government authority for Melbourne's inner northern suburbs of Northcote and Fairfield, out to the traditional middle ring suburbs of Reservoir and Bundoora and includes Alphington (part), Kingsbury, Macleod (part), Preston, Reservoir and Thornbury.

Darebin is home to one of the largest, most diverse communities anywhere in the State in terms of cultures, language, religions, socio-economic background, employment status, occupation, and housing needs. The council actively represent the community’s diversity and acknowledges the Wurundjeri Woi-wurrung people as the traditional owners and custodians of the land and waters we now call Darebin.

Background

City of Darebin employs approximately 950 full-time staff and contractors, supported by 400–500 casual workers across a range of operational services. Staff use a variety of devices, including laptops, notebooks, and mobile phones to access systems and carry out their work. The organisation operates in a predominantly cloud-based IT environment, including core systems and Microsoft 365, with a small number of on-premises legacy systems.

Challenges

Initially, the council had a small number of IT policies in circulation that were written by an external contractor. With no clear process for updating or maintaining the documentation, the organisation lost visibility and control over the policies which, as a result, became outdated and difficult to manage.

“In the past, keeping our IT Security policies current and aligned with recognised industry standards such as ISO 27001, Victorian Protective Data Security Standards (VPDSS), and Essential Eight was a significant challenge. Developing and maintaining robust security documentation requires specialised expertise and a deep understanding of evolving compliance requirements. For small to medium-sized organisations, dedicating internal resources with this level of capability is often difficult and cost-prohibitive.” comments Om Delhikar, ICT Governance, Security and Risk Officer at City of Darebin.

It was also noted during a quarterly audit that the policies were not up to date. Addressing this would require either engaging a new external consultant or allocating significant internal resources, both of which presented challenges.

Solution

City of Darebin went to market for a solution using a request for quote, and after careful consideration engaged Kaon Security to support them in implementing a comprehensive suite of IT Policies. Their Policy Management as a Service (PMaaS) offering delivers content tailored to suit the council’s specific IT environment and aligns seamlessly with the organisation’s broader IT security framework, providing a cost-effective alternative to creating the policies inhouse.

“One of the key advantages of the service is the alignment with recognised frameworks such as ISO and VPDSS. Kaon Security monitors changes to these standards and notifies us when updates may affect existing policies. We can then review the proposed changes and decide how they should be applied, creating a collaborative process that keeps policies current without placing a heavy burden on internal teams.” – says Om.

Benefits

During the initial policy workshop sessions, Kaon Security worked with City of Darebin’s team to review each policy in detail, adapt the content to their operational needs, and clarify the intent behind specific policy statements. This process helped ensure the policies were both practical and aligned with the organisation’s existing security framework. Kaon’s expertise also provided valuable guidance when working through complex policy requirements, helping the team avoid misinterpretation and ensuring that the final policies reflected industry best practice.

Om comments “The service has also improved staff engagement and compliance. In the past, attempts to drive policy awareness through emails and management communication resulted in acknowledgment rates of around 30%. With PMaaS’s built-in compliance tracking and acknowledgement functionality, we have now achieved more than 90% staff compliance.”

Leadership

Following management approval, the updated policies were published via the organisation’s intranet. Staff can access the IT Security Policy portal directly through a dedicated link, which directs them to the PMaaS platform and the organisation’s Acceptable Use Policy.

Employees are required to read and formally acknowledge the policies through the platform, allowing the organisation to track compliance in real time and ensure staff are aware of their responsibilities.