Policy Management as a Service Implementation

About Hobsons Bay City Council

Situated on Port Phillip Bay around 10 kilometres west of central Melbourne, Hobsons Bay City Council covers an area of approximately 66 square kilometres, which includes 20 kilometres of bay frontage, quality residential areas, and a huge expanse of environmentally significant open space. The region is also home to Victoria's chemical and petroleum industries and contains some of the state's largest industrial enterprises. The local economy includes a growing number of manufacturing, transport and goods distribution companies plus a large number of light and service industries.

Background

Hobsons Bay City Council employs around 700 staff, all IT knowledge workers, including 150 field workers who use mobile phones and tablets for their tasks. As part of an ongoing transformation project, the organisation has moved to a hybrid IT environment that is primarily Microsoft-focused. While some legacy and on-premise infrastructure remains, this is gradually being phased out in favour of more modern, cloud-based solutions.

Challenges

While the Council had established certain IT policies, these were inadequately maintained and did not possess the necessary structure or alignment to effectively meet the organisation’s needs. It was determined that the current policies were unsuitable in light of the Council’s evolving technology landscape and risk profile.

“When we initially began reviewing our policies, it became clear that they did not align with best practice guidance from recognised bodies such as ISO and the Australian Signals Directorate, nor did they adequately reflect relevant legislative and regulatory requirements. My objective was to establish a robust and comprehensive suite of policies that would support continuous improvement. Achieving this required replacing our existing policies, as they were not written to the standard necessary for our operational and compliance needs,” comments Roger Verwey, Manager Digital Services.

Solution

Policy Management as a Service (PMaaS) from Kaon Security provided the ideal solution, offering a fast and efficient way to implement a comprehensive framework of IT policies that would continue to adapt to council’s technology environment and business needs. All the policies are mapped to international standards and best practice guidance. Hobsons Bay City Council also gain ongoing access to experts who help to keep the policies, standards and guidance up to date. Roger comments “One of the key strengths of the PMaaS policies is their clear structure - each policy begins with a concise, easy to read statement followed by a detailed explanation. This format greatly enhances our ability to communicate policy content effectively and helps staff understand the rationale behind each requirement. Additionally, we have access to expert guidance from Kaon Security, which provides valuable support in addressing any questions from our team regarding the policies, standards, guidance, or regulatory obligations.”

Benefits

The initial workshop conducted by Kaon Security helped ensure that the policies were tailored to the organisation’s needs and priorities. “The workshop was highly effective, facilitated by a policy expert from Kaon Security. The session provided a comprehensive review of our current practices, outlined recommended approaches, and helped identify existing gaps. This expert led guidance was helpful in refining our approach and ensuring closer alignment with recommended practices and regulatory considerations.” says Roger.

The policies have become a practical guide for daily operations. “Many of our operational activities are shaped by the policies - ranging from network design and configuration to firewall settings, patch management, security updates, and general user practices,” adds Roger.

“The introduction of the new policies has also streamlined our review processes, making them more structured and efficient. We can now review, submit, and update policy content with greater ease, supported by clear version control and defined review timelines. This has significantly improved our audit preparedness, enabling us to demonstrate that council policies are current and that review cycles are well documented.”

Leadership

The Council is integrating the new policies into standard operational procedures. All employees are required to review and acknowledge the organisation’s Information Security Agreement policy, which has been developed directly from the underlying service policies. Annual mandatory cyber awareness training, closely aligned with this policy framework, reinforces the significance of security responsibilities for all staff members. To promote accessibility, the complete suite of policies is available on the intranet, providing both a reference for employees and a valuable resource for the IT team.