Digital devices, services and information – staff use procedures
Audience
All staff, including contractors, and any parties that access or use the department’s digital devices, services and information.
Version | Date | Description of changes | Approved by |
---|---|---|---|
V02.0.0 | 10/05/2024 | Updated under the 2023 Policy and procedure review program, including conversion into the new template and improving document readability. Added requirements for taking or accessing department devices, services and information from overseas. | Chief Operating Officer |
About the policy
These procedures are designed to be read in conjunction with the Digital devices, services and information – staff use policy.
Term | Definition |
---|---|
Staff |
Includes persons directly employed by the department, as well as contractors, volunteers and tertiary practicum students provided access to the department’s digital devices, services or information. |
Digital devices |
Electronic devices that can receive, store, process and share digital information and connect to applications, websites and other digital services. They include desktop computers, laptops, tablets, smartwatches, smartphones and other devices whether department or personally owned. |
Digital services or services |
Any software, website or application that can gather, process or communicate information. |
Systems |
Any application or information and communications technology (ICT) configuration items that store, transmit, create or use information. For example, end user devices such as mobiles, laptops, portable hard drives. |
Information |
Any communication or representation of knowledge such as facts, data, or opinions in any medium or form. |
Personal or bring your own device (BYOD) |
Any personal digital devices used for work purposes, including accessing department services and information. |
‘Five eyes’ countries |
Australia, New Zealand, Canada, the United States of America and the United Kingdom. |
Overseas or international |
Any destination outside Australia. This excludes Lord Howe Island and Norfolk Island, which for the purposes of this policy are to be treated as domestic travel. |
Official travel |
Where a public sector organisation or service responsible to a minister uses public monies to pay for the travel of a public official or any other person. |
Overseas excursion |
A school excursion taking place in a country outside Australia and which includes overnight accommodation the school organises. |
Personally identifiable information |
Any piece of information or data, that can be used to identify and individual including:
|
Should |
Valid reasons to deviate from the item may exist in particular circumstances, but the full implications need to be considered before choosing a different course. No policy exception required if condition is not met. |
Should not |
Valid reasons to implement the item may exist in particular circumstances, but the full implications need to be considered before choosing this different course. No policy exception required if condition is not met. |
Must |
The item is mandatory. Any request for deviation must be requested from the Chief Information Security Officer. |
Must not |
Not using the item is mandatory. Any request for deviation must be requested from the Chief Information Security Officer. |
Deputy Secretaries (or equivalent):
- comply with and champion this policy
- assess requests from staff to take department devices overseas or access department digital services and information from overseas.
Chief Information Security Officer (CISO):
- ensure the department develops, implements and maintains effective policies and procedures for accessing and using department digital devices, services and information based on the department’s cyber security risk tolerance
- assess and consult on requests from staff to take department devices overseas or access department digital services and information from overseas.
Directors and Executive Directors:
- assess requests from staff within their directorates to take or access department devices, services and information from overseas
- assess and take relevant disciplinary action for escalated non-compliance incidents.
Principals and managers:
- use digital devices, services and information in safe, responsible and respectful ways
- maintain a positive workplace culture that includes and promotes safe, responsible and respectful use of all digital devices, services and information
- inform staff of the Digital devices, services and information – staff use policy and these procedures
- coordinate with the Information Technology directorate to procure and maintain department devices in accordance with this policy and associated guidelines
- model appropriate use of digital devices and services
- report and respond to any breaches and incidents of inappropriate use of digital devices, services and information as required by school procedures, department policy and any statutory and regulatory requirements.
Staff (including contractors):
- use and access digital devices, services and information responsibly, economically, efficiently and in compliance with legal requirements
- ensure that the security of the department’s digital devices, services and information is maintained and not compromised
- take reasonable steps to ensure unauthorised persons cannot access departmental information in any form
- ensure they have deputy secretary (or equivalent) approval to access department digital devices, services and information from overseas
- report inappropriate use of digital devices, services and information to their line manager and the Professional and Ethical Standards directorate in accordance with workplace procedure, department policy and the department’s Code of conduct policy.
- ensure licenses are held or purchased for any software installed on a device other than software in the device’s base build as provided and installed by the department.
What needs to be done
The department provides standardised digital devices, operating systems and software to schools, department workplaces and staff.
1. Setup and security
1.1 Secure all department digital devices, services and information
1.1.1 Securing digital devices
All staff must:
- ensure that department digital devices are protected from compromise, loss and damage
- ensure security measures are appropriate to the setting. For example, school locations will require different security considerations to education support locations.
- lock any digital devices when leaving them unattended
- save any open files and close any applications when leaving a digital device unattended
- not give unauthorised persons access to areas where department devices or infrastructure is stored
- not share their login information or provide access to department devices and services through their login to any other person, including students
- conclude concurrent logins as soon as practicable
- store digital devices in a lockable container or other secured area both at home or at department locations
- cover laptop webcams and unplug desktop webcams when not in use
- not leave department digital devices in any unsecured location, including common areas and motor vehicles
- only access department digital devices using a department-provided login or identity
- not take any action to alter or diminish the security of any department digital device.
1.1.2 Securing digital services and information
All staff must:
- only access department digital services and information using a department-provided login or identity
- take reasonable steps to ensure unauthorised persons cannot access departmental information in any form
- not share their login information, or provide access to department services and information through their login to any other person, including students
- not take any action to alter or diminish the security of any department services or information
- practice good cyber hygiene (refer to 1.1.3 below, 'How to secure digital services and information').
1.1.3 How to secure digital services and information
Securing the department’s digital services and information is critical. Staff must practice good cyber hygiene and follow the guidelines outlined in these procedures.
Digital services and information types | Actions and information |
---|---|
The department provides an email account for the period of employment. Staff may be held accountable for all activity on the department’s network, applications or data systems that has been accessed using this user ID and password. A department email account:
|
|
Cyber hygiene |
Staff must:
|
Passwords, passkeys and other authentication methods |
Passwords, passkeys and other forms of authentication, allow a user to prove they own a particular account or user ID. Staff must:
The Password Standard (refer to Policies, strategies and standards) provides more information on the department’s password requirements. |
Network security |
Staff must have the approval of the Executive Director, Digital Operations before connecting any external data services to the department’s network. This includes connecting an external data service to any site owned or leased by the department. The department will disconnect from its wide area network any department-owned site found to be connected to an unauthorised external data service until it has been disconnected. External connections can include:
The department regularly carries out network data backups, operating system security updates, virus protection software updates and scans on all network computers. To ensure these important processes operate effectively, staff must:
|
Sensitive and confidential information |
Staff must:
If there is a need to store, access or share department data on a personal device, staff must:
|
1.1.4 Monitoring digital devices, services and information
The department monitors its digital systems to ensure the confidentiality, integrity and availability of business and education services in line with the Workplace Surveillance Act 2005 (NSW).The department reserves the right to inspect any digital device issued to staff while investigating breaches, incidents and allegations of misconduct. This data may be passed on to police or other investigative bodies. The department may also monitor personal devices used for work.
1.2 Secure personal devices used for work
Staff can choose to use personal digital devices for work under Bring Your Own Device (BYOD) programs. The department does not manage or support these devices.
1.2.1 Securing personal devices
Staff must:
- protect the device with a PIN (personal identification number) or password that complies with the department’s Password Standard (refer to Policies, strategies and standards) and ensure the device/s locks automatically
- protect the device using appropriate physical security measures (such as storing in a lockable container, ensuring the device is in a secure area not accessible by the public and not leaving devices in your car)
- only store the department’s information in the approved cloud storage platform, OneDrive
- allow the deployment of a digital certificate to enable network traffic decryption and inspection by the department
- comply with the responsibilities and security controls for use of BYOD specified below
- comply with all provisions of this policy and the department’s Cyber security policy and procedures.
- report the loss or theft of a personal device used to access or store department data to their manager and EDConnect (1300 32 32 32 option 5) as soon as practicable once the incident becomes known
- comply with ITD directives, within 24 hours if no other deadline is specified, to update system software or take actions (such as changing device settings) to ensure device security.
Support for personal devices
EDConnect provides support for department-issued digital devices and services only. Staff using personal devices should refer to the manufacturer or retailer for technical support.
1.2.2 Remote wiping of personal devices
To protect the confidentiality, integrity and availability of its information, the department may remotely wipe department accounts from any personal device connected to or configured to use its services. Wiping these accounts will erase data such as department email and documents but may also erase any personal data associated with software licensed to the department (such as Microsoft Office 365). The department is not obliged to inform staff of its intention to wipe accounts from the device or provide any support in recovering lost personal data or functionality. Devices will not be remotely wiped without due diligence.
1.2.3 BYOD security requirements
The department requires staff to implement the following controls for any personal device that accesses the department’s digital services or information.
Staff must:
- enrol no more than 5 concurrent mobile devices with the department at any one time
- ensure that personal devices are kept in good working order
- only use approved applications to interact with the department’s data
- not charge individual application, or digital device purchases to credit cards or facilities the department owns or manages
- ensure that applications provisioned and used for work purposes are properly licensed
- backup critical personal information on your preferred backup solution (do not use the department’s cloud storage solutions for personal information) in case of data wipes or corruption
- not use non-department email accounts or cloud services to share the department’s information to and from a personal device
- not modify device functionality unless ITD recommends or requires it. Staff cannot use devices that are ‘jailbroken’ or have been subjected to any other method of altering or disabling built-in protections. This constitutes a material breach of this policy
- apply the most current approved software or firmware updates to personal digital devices, including backing up and restoring data as part of the upgrade and updating process. All software and firmware should be set to automatically update
- enable antivirus and malware protection where it is available
- take appropriate precautions to prevent others from obtaining access to their device(s)
- take responsibility for all transactions made with their credentials
- not provide access credentials for devices connected to department’s internal systems to any other individual
- not download any application that the department has blacklisted (such as TikTok) on any personal device that contains or accesses the department’s information, even if those applications are not used for business purposes.
If the department needs to access a personal device, contact will be made via official channels and in accordance with relevant department policies and procedures. The department will only request access to personal devices or credentials for investigatory purposes
NEVER provide access to department or personal devices and credentials unless you are certain that the person is an approved staff member. If you are unsure, contact EDConnect on 1300 32 32 32 (Option 5).
1.2.4 Mandated software and certificates
The department may deploy any monitoring or decryption software deemed necessary to maintain the security of its digital services and information. Staff consent to this deployment and monitoring when they opt in to access the department’s network, digital services or information from a personal device.
Staff must:
- allow the deployment of a digital certificate to enable network traffic decryption
- install any mandated mobile device management tool or other software on the department’s advice.
The department conducts all monitoring and decryption practices in accordance with relevant legal and regulatory requirements.
1.2.5 Monitoring of personal devices
Staff who choose to use personal devices under a bring your own device (BYOD) program, trade a limited amount of control over the device’s data in exchange for access to the department’s network and information assets. All monitoring is in accordance with the Workplace Surveillance Act 2005 (NSW).
The department may monitor staff members through mobile device management (MDM) software, or any other software deemed necessary.
The department, and any associated entity providing MDM software, will not collect the following information from personal devices unless permitted by law:
- keystroke activity
- photos
- texts composed or received in the built-in messaging application.
1.3 Procure digital devices and services
When approving the purchase or procurement of digital devices or services, staff must ensure the device or service:
- best meets the business unit’s specific needs
- is cost effective
- represents an ethical and efficient use of department resources
- satisfies the department’s ICT contract requirements (see the Cyber security policy).
Type | School staff | Education support staff |
---|---|---|
Hardware |
The department has a range of hardware suppliers with mandated contracts to purchase hardware from. Hardware can be purchased via the EDBuy Online Catalogue. For a list of supported devices refer to Standard devices for schools. Hardware not listed in EDBuy is not supported by the department and may not be suitable for the department’s digital environment. To discuss the suitability of devices, contact your local IT team. For further requirements on managing information and communications technology (ICT) contracts, refer to Procurement. |
Staff must only purchase digital devices provided through:
All staff must note that Microsoft Teams is available to all staff for internal communications. Mobile phones should not be provisioned to staff who do not have additional communication requirements outside of this (for example, staff required to be on call, or communicate with external vendors). For further requirements on managing information and communications technology (ICT) contracts, see Procurement. |
Software |
The department has reviewed and rigorously assessed a range of products and programs for use in education settings. Standardised software is available to all school users to support teaching and learning. For more information on available software, see Software. Non-standardised software can also be purchased and sourced from: All software on the above marketplaces has been reviewed and assessed for use by the department. Staff seeking to use software that is not sourced from one of the above locations requires additional assessment in accordance with the Cyber security policy and procedures. For a list of assessed applications, see AssessedIT. Staff seeking to procure new IT or digital goods and services must also ensure that the department’s ICT contract requirements be implemented. Staff should contact cyber support or the ITD Tenders teams for assistance. For further requirements on managing information and communications technology (ICT) contracts, see Procurement. |
Standardised software is available for download through the Company Portal available on all department devices. Some software may require licenses or additional access permissions to appear. Software licences for non-standardised software may be purchased at the business unit’s discretion. All new contracts must incorporate the ICT contract requirements. For further requirements on managing information and communications technology (ICT) contracts, contact Procurement. |
2. Acceptable use
The department provides staff with digital devices and services to enable them to perform their duties. This section outlines acceptable and unacceptable uses of digital devices and services.
Staff must:
- use department digital devices, services and information responsibly and comply with relevant NSW legislation
- use department digital devices, services and information economically and efficiently
- appropriately secure any digital device, service or information used for work purposes (includes personal devices)
- use department digital devices primarily for work purposes.
The department monitors the use of its digital devices, services and information for breaches of this policy and relevant legislation.
2.1 Use department resources economically and efficiently
Use of department-provided digital devices and services must always be economical, efficient and responsible.
Staff must:
- limit the duration of any time-charged communication, including internet sessions and any other data-intensive services
- not use department digital devices or services for income-generating activities
- cancel or handover any unused licences charged to your business unit.
The department reserves the right to adjust staff mobile data plans to ensure the most economic use of the department’s resources.
Approval to use personal mobile devices for department business purposes, and subsequent reimbursement of costs, should be limited to occasional or extraordinary circumstances. Any reimbursement must be reasonable, justified and not exceed the total cost of the mobile bill.
2.2 Comply with copyright and privacy requirements
The department’s information is subject to privacy and copyright legislation.
Staff must:
- not copy or transmit any material in electronic or physical form that is protected by copyright, except as the law authorises or permits. Refer to Legal Services for more information about copyright
- not disclose, access or use any department controlled personally identifiable information in a manner inconsistent with state and federal privacy legislation and regulatory frameworks. Refer to Information and Privacy Commission NSW for more information
- label and handle official, sensitive and other confidential information in accordance with the NSW Government Information Classification, Labelling and Handling Guidelines
- ensure that personal information is not stored, transmitted or used in department services to enable the separation of business monitored information from personal information. If staff do use department devices or services for this purpose, the department cannot be held responsible for the collection of this data.
2.3 Exercise good judgment when using department devices for personal use
The department acknowledges that staff may occasionally need to use its digital devices and online services for personal reasons.
Staff must:
- only do so in a manner that is infrequent, brief, involves minimal cost and does not interfere with the performance of work, impact on the department’s service delivery, or create an exposure for the department to viruses, legal liability or reputational damage
- accept that the devices are department property and therefore usage will be monitored
- not engage in any unlawful, unacceptable, inappropriate or uneconomical activities.
Staff suspected of abusing their use of department-owned digital devices and online services may be subject to investigation and could face disciplinary action.
2.4 Examples of unacceptable use
Any use of the department’s digital devices or services that could be considered controversial or offensive, or that could potentially damage the department’s reputation or financial position, is unacceptable. The intentional unacceptable use of department digital devices or services may result in disciplinary action. These standards apply whenever departmental equipment (including BYOD) or communication lines are used.
Staff must report prohibited conduct, and the receipt or distribution of inappropriate or unacceptable material, immediately.
Use type | Description | Actions for staff |
---|---|---|
Unacceptable uses of digital devices, services and information |
Staff must not use the department’s digital devices or services to create, access, store or transmit information that is:
|
If they receive such material or observe others engaging in prohibited conduct, staff must report it to their:
The PES Reporting Guide provides guidance on when to use the PES Report Form. |
Inappropriate uses of digital devices, services and information |
Staff must not:
|
Staff must report any actual or suspected breach or risk to the department’s cyber security. Staff must: 1. Report to:
2. Consider reporting to other relevant teams, for example:
In the case of inappropriate emails (for example, phishing or smishing emails), delete the email without replying or attempting to remove your email address from any mailing list. For more information or reporting unacceptable material, refer to Cyber safety. |
3. Leaving the department
Staff may be provided with a digital device for work-related purposes during their employment with the department. These devices remain the property of the department and must be returned in situations where:
- staff separate from the department
- staff are terminated
- staff take extended leave, including secondments longer than 3 months.
In these circumstances, staff must:
- remove any personal information from the device
- not copy or document department information in any way
- cancel or transfer any software subscriptions paid for by the business unit
- return any department-owned laptops to their principal (for school staff) or to EDConnect (for education support staff)
- notify the ITD telephony team (via EDConnect) of any mobile phone/data services that will no longer be required. Department-owned mobile phones are to be retained by the business unit.
The department will disable access to departmental digital devices, services and information on separation or termination of employment, subject to department policy:
- casual staff – 15 months from last casual pay period
- temporary staff – 12 weeks from disengagement
- permanent staff – 12 weeks after separation.
4. Taking or accessing department digital devices, services and information from overseas
4.1 Apply for or approve overseas travel
Taking and accessing department digital devices, services and information from overseas presents a significant cyber security risk to the department. In line with NSW Government requirements, there are various processes that must be followed before department staff can access digital services and information overseas. This section details the actions for staff, managers, principals, the Cyber Security team, the Chief Information Security Officer (CISO) and deputy secretaries (or equivalent executives).
4.1.1 Applying to access department devices, services or information from overseas
Staff planning to travel overseas must:
- apply for approval if they would like to take or access department digital devices, services or information while overseas. Staff must apply for access at least 28 days before departure to allow time for approval
- only apply for a maximum duration of 180 days access at a time. If a longer time is required, they must submit a new application.
Access will only be granted where necessary to satisfy business requirements and will generally not be granted for personal leave.
Staff can only access department digital devices, services or information from overseas with the appropriate approval. Any unapproved access may result in their account being locked and subject to disciplinary action. Staff must not submit false or misleading information as part of their application.
The provisions under this section do not:
- apply to third-party service providers and vendors engaged under a Third-Party Agreement contract
- contain provisions related to seeking or endorsing official travel, excursions or teacher exchange applications
- cover work health and safety, insurance, physical security or any other matters related to working for the department while overseas.
4.1.2 Official travel, approved excursions and teacher exchange programs
Staff travelling on official business, approved excursions or approved department teacher exchange programs (refer to Scholarships and programs) must first have their travel approved under the appropriate policy or program:
- Travel on official business policy
- Excursions policy
- Teacher exchange programs (refer to Scholarships and programs)
Where travel has been approved under one of the above policies, approval to take or use department devices, services and information from overseas will only be required from the CISO. Staff will be required to provide evidence that travel has been approved under one of the above policies as part of their request.
4.1.3 Transitional arrangements
The provisions of this policy will be enforced from its implementation. Any staff member currently working from overseas, or who has an arrangement to do so in the future, must have their access to department devices, services and information reviewed by the Cyber Security team.
All managers, principals and other staff responsible for managing and approving travel or flexible working arrangements must notify the Cyber Security team (CyberSupport@det.nsw.edu.au) of any staff within their business unit who have working from overseas arrangements in place.
Staff who have arrangements to travel overseas and who plan to access department devices, services and information must complete an international access request per this policy and email CyberSupport@det.nsw.edu.au to ensure the request is managed efficiently.
The Cyber Security team will also work with Human Resources teams to review and document all current approved requests during the transitional period.
4.1.4 Considerations for endorsing and approving officers
Endorsing and approving officers must consider:
- the purpose of the travel
- the duration of the travel (requests have a maximum duration of 180 days)
- the locations of travel and transit
- the business need and associated risk of the travel
- whether the request form is complete, accurate and true.
In assessing applications, endorsing and approving officers should pay particular attention to:
- whether the work could be completed before travel, or handed over to a colleague
- the minimum application, software, information or device requirements to complete the work
- whether travel constraints, such as time zone differences, will have an effect on the achievement of work goals
- the risk to the department’s information security that the requested access poses (see below)
- any other constraints to work practices deemed relevant.
Requests must not be approved to take or access department digital devices, services or information to or from any overseas location determined to be high risk (non-Five Eyes [refer to 4.3 High-risk countries]) unless no other reasonable business solution exists.
Additional information from an applicant may be requested before endorsing or approving a request.
4.1.5 Application and approval guidelines
The following guidelines apply to staff, managers, principals, the Cyber Security team, the CISO and Deputy Secretary.
1. Obtain principal or manager endorsement – staff
Staff must demonstrate the need for accessing department digital devices, services or information from overseas with their principal or manager.
Principals or managers must:
- analyse the business need and, where necessary, help coordinate endorsement from their director and executive director
- consider requests on a case-by-case basis taking into account the factors outlined in ‘Considerations for endorsing and approving officers’.
Manual applications for staff without SAP access
Contractors or other staff members without SAP access will need to submit a manual request form, following the same steps outlined in this section. The various stages must be coordinated manually to ensure the International Access Request (Working from Overseas) (PDF 1382 KB) form is completed satisfactorily (refer to Accessing digital systems while overseas for more information).
2. Obtain written endorsement – staff
Staff need to obtain written endorsement of their requirement to access department digital devices, services or information from overseas from their director and executive director.
Staff should use the Endorsement template (PDF 158 KB) as a guide when seeking written endorsement.
Directors and executive directors must consider requests on a case-by-case basis taking into consideration the factors outlined in section 4.1.4 ‘Considerations for endorsing and approving officers’.
If the delegated line manager is a member of the senior executive, the prior tiers of delegated approvers are not required.
3. Submit SAP request – staff
Staff must submit a request via the International Access (Working from Overseas) (staff only) SAP form with written endorsements from their director or executive director attached. Staff travelling on official business, approved excursions or approved department teacher exchange programs (refer to Scholarships and programs) should instead attach evidence that travel has been approved under the relevant policy.
The SAP workflow item will be forwarded to the relevant principal or manager for review and consideration.
4. Approve the SAP request – principal or manager
Principals or managers should review the contents of the SAP workflow item to ensure accuracy before choosing to approve or reject the request. If approved, the request will be forwarded to the Cyber Security team.
5. Perform a Cyber Security Risk Assessment – Cyber Security team
The Cyber Security team will initiate and document a Cyber Security Risk Assessment for the Chief Information Security Officer (CISO) on receipt of the endorsed request. Once the assessment is finalised, the request will be forwarded to the CISO for endorsement.
The Cyber Security team will maintain a centralised register of all requests, approvals and rejections for staff requests to access department devices, services and information from overseas.
Risk assessment review
The Cyber Security team conducts risk assessments based on internal criteria and procedures. Risk assessments consider the details provided by the requestor against the associated risks of the requested access from overseas locations. At the conclusion of the risk assessment process, the team must provide:
- the Risk Assessment Review to the CISO for feedback and to the Deputy Secretary (or equivalent) should the CISO choose to endorse
- a summary to the requestor should the CISO reject the request.
6. Endorse or reject application - CISO
The CISO must review the request and provide feedback on the risk assessment before choosing to endorse or reject an application. If the CISO chooses to approve an application, they will forward a recommendation to the approving Deputy Secretary.
The CISO must consider:
- the Risk Assessment Review document as prepared by the Cyber Security team
- the factors outlined in 4.1.4 'Considerations for endorsing and approving officers'
- any additional information provided after consultation with the Cyber Security team.
In the case of staff travelling on official business, approved excursions or approved department teacher exchange programs, the CISO will provide final approval subject to the risk mitigation strategies outlined in step 8 below.
7. Approve or reject application – Deputy Secretary
If approved by the CISO, the relevant Deputy Secretary (or equivalent) must review the request and risk assessment, and approve or reject the application.
The Deputy Secretary (or equivalent) must consider:
- the Risk Assessment Review document as prepared by the Cyber Threat Intelligence Manager
- the factors outlined in 4.1.4 ‘Considerations for endorsing and approving officers’
- any additional information provided after consultation with the Cyber Security team.
Approval to take or access department devices, services and information overseas should only be considered where the Deputy Secretary (or equivalent) can accept that every effort has been made to mitigate the department’s residual risk.
8. Risk mitigation for approved staff – Cyber Security team
If the application is approved, the Cyber Security team will contact the applicant to complete further actions for risk mitigation.
Staff who have had their request approved must:
- comply with the policies and procedures relevant to their access and travel arrangements
- collaborate with the Cyber Security team and comply with all risk mitigation strategies the team deems appropriate
- complete and submit the Cyber Security team’s relevant checklist (refer to Case studies – Access from overseas) at least one week before travel.
If the Cyber Security team is not satisfied that staff have implemented their risk mitigation strategies, the team may submit a recommendation to revoke any approved access or lock an account.
4.2 Additional cyber security risk mitigation
The Cyber Security team will outline any additional risk mitigation strategies that staff may need to complete before departure. Any additional requirements will be implemented on a case-by-case basis.
If assistance is needed to complete these steps, contact CyberSupport@det.nsw.edu.au.
4.3 Low- and high-risk countries
The Five Eyes partnership is an intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom and the United States. Each of the Five Eyes countries conducts interception, collection, acquisition, analysis and decryption activities, sharing all intelligence information obtained with the others by default.
For travel within Five Eyes countries:
- risk is considered low
- department devices may be approved to be taken to these countries
- generally, no restrictions on digital services or information will be enforced.
For transit or travel within non-Five Eyes countries:
- risk is considered higher and subject to more rigorous risk management
- standard department devices must not be taken or accessed
- ‘clean’ devices (see below) may be taken and accessed where approved
- personal devices may be used to access department digital services and information only where approved. Digital service and information access will be limited to Microsoft Office 365 applications access via the web browser.
4.4 Clean devices for travelling
It is recommended that staff travelling on official business to high-risk locations use a special ‘clean’ device for travel. Clean devices have never been connected to a NSW Government IT network and never will be. Clean devices will be arranged by the Cyber Security team for loan as part of risk mitigation.
On return from overseas travel, staff must:
- return all clean devices to ICT support staff for inspection and wiping
- report any suspected compromise of the ‘clean’ device or other suspicious behaviour to EDConnect.
See Telephony for more information on purchasing mobile devices or data services.
4.5 Appealing a decision
If the request is rejected, staff must not access department digital devices, services or information from overseas. If the CISO rejected the request, staff may submit a formal appeal by:
- contacting the relevant executive director and presenting a case for review
- attaching the Risk Assessment Summary document provided by Cyber Security.
If appeals are rejected, they must not be resubmitted. If appeals are approved, they will be subject to any additional risk mitigation controls deemed necessary.
The Appeal template (refer to Accessing digital systems while overseas)provides further direction.
If the direct escalation for an appeal is a Deputy Secretary (or equivalent), the applicant must raise the appeal with them directly.
4.5.1 Evaluating requests for review
When an appeal is escalated, the reviewer must:
- review the request rationale in light of the Risk Assessment Summary decision
- endorse or reject the appeal request.
If a reviewer endorses the appeal, they must:
- raise the appeal with the relevant Deputy Secretary (or equivalent) via a briefing, email or minuted meeting
- notify the Cyber Security team (CyberSupport@det.nsw.edu.au) that the appeal has been escalated to the Deputy Secretary (or equivalent) and include the team in all related correspondence.
4.5.2 Endorsement of an appeal
Deputy secretaries (or equivalent) who have had an endorsed appeal request escalated to them must:
- review the original request and any new evidence or information provided as part of the appeal
- consult the Cyber Security team for additional information or clarification if required.
If a Deputy Secretary (or equivalent) chooses to overturn the CISO’s original decision, they must notify the Cyber Security team (CyberSupport@det.nsw.edu.au) so the decision can be updated on the central register.
4.6 Variations to itineraries, locations and/or dates
If there are changes or cancellations to the submitted itinerary, staff must:
- contact their delegated approvers as soon as possible
- submit a travel itinerary variation request or resubmit a new application (see below).
Variations to travel locations:
- changes before initial approval – staff must withdraw their request in SAP and resubmit a new request (including re-obtaining written endorsement)
- changes before departure but after obtaining approval from the Deputy Secretary – contact CyberSupport@det.nsw.edu.au for further information.
Variations to travel dates:
Changes to travel dates before or after obtaining approval, require staff to
- notify their principal or manager of changes
- notify CyberSupport@det.nsw.edu.au and provide the approval reference number and new dates
- submit a new travel request if the changes to dates put the travel period over 180 days.
4.7 Approvals for staff already overseas
Staff must not take department devices overseas before obtaining approval from the Deputy Secretary or equivalent. Access to department devices while already overseas therefore cannot be granted.
If staff are contacted directly by their principal or manager to advise or action a business-critical assignment while overseas, access may be granted in exceptional circumstances. In these cases:
- the onus of submitting a request for access is on the requesting principal or manager
- access will be restricted to Microsoft Office 365 applications used explicitly via the web browser.
Requesting principals or managers should contact the Cyber Security team at CyberSupport@det.nsw.edu.au.
4.8 Overseas travel checklist
4.8.1 Before travelling overseas
Before travelling overseas, staff must take a number of precautionary measures to safeguard department devices, services and information.
Staff intending to work from overseas must:
- obtain appropriate travel authorisation in line with Travel on Official Business policy, Excursions policy or approved teacher exchange programs (refer to Scholarships and programs)
- follow the process outlined within this policy to obtain approval for taking or accessing devices, digital services and information overseas
- complete the department’s annual mandatory cyber security training and Accessing department devices and services from overseas training
- fulfil reporting and consent requirements for any national security clearance you hold
- seek advice from the Department of Foreign Affairs and Trade if seeking to access information (digital and hard copies) or services containing information that is classified as Protected, Secret or Top Secret
- notify their delegated approvers where changes to travel locations or dates occur (see ‘Variations to travel itineraries’ for more information).
Before travelling, staff must comply with the following mandatory requirements for device security.
Staff must:
- remove all department accounts and related information from any unapproved personal devices while overseas
- remove all department contact details from their department or personal devices, other than those required for travel (such as contact details for your principal or manager)
- ensure all your devices automatically lock (15-minute locking standard) and a secure authentication mechanism is in place (for example, passcode, fingerprint, or other biometric identification)
- create different passwords for all department digital services they will access overseas (to avoid the risk of having to change expiring passwords while overseas).
In addition, staff should:
- be familiar with the Australian Cyber Security Centre’s overseas travel guidelines
- check the Smartraveller website for the latest country specific travel advice.
4.8.2 Using department devices, services and information overseas
While working overseas, staff must comply with this policy, as well as the following department policies:
- Code of conduct policy
- Cyber security policy
- Excursions policy (as required)
- Travel on Official Business policy and guidelines (as required)
- Work health and safety (WHS) policy.
4.9 Reporting emergencies
Staff must report any loss, theft, potential compromise or unusual behaviour of devices during overseas travel to EDConnect (1300 32 32 32). EDConnect can be contacted Monday-Friday from 7:30am-6pm AEST.
4.10 Mandatory and discretionary requirements
There are a number of mandatory requirements for staff while they are working from overseas. These are outlined below, along with discretionary considerations.
Staff must:
- only take approved department digital devices during overseas travel period
- only access department digital services and information approved for use during overseas travel period from approved devices
- only connect department or personal devices to the Internet using a private mobile personal hotspot created by a device that only you have access to (for example, create a hotspot requiring authentication to connect using a department or personal mobile phone)
- put devices in ‘flight mode’ when travelling and only enable Wi-Fi when required for use
- power off devices during transit, inside airport buildings or when device is not in use for an extended period
- lock your devices when not in use for short periods
- place department devices in carry-on luggage
- cover or unplug webcams when not in use
- assume that any digital devices that have been taken out of your sight, once returned to you, have potentially been compromised (such as for inspection by foreign government officials, lost or stolen and later found or returned)
- use encrypted Voice over IP (VoIP) applications such as Microsoft Teams for making business calls or attending business meetings.
Staff must not:
- take or create any hard copies of protected, secret or top secret information without first seeking advice from the Department of Foreign Affairs and Trade. Refer to Protective Security Policy Framework: Classification system for more information
- access any department information or digital service that contains any personally identifiable information or other sensitive or confidential information
- use any public network connections including those in hotels or airports
- use any local support facilities (such as a computer or mobile repair shop)
- use removable media (USB sticks) especially those provided by other organisations for data transfers. It is best to transfer any documents via filesharing utilities such as Microsoft Teams or OneDrive
- store any department information on personal devices for offline use. Only cloud storage may be used such as Microsoft Teams or OneDrive
- share department credentials or devices with any other person
- use department digital devices, services or information for personal use.
Staff should:
- exercise discretion when disclosing information about work and overseas travel to another person
- consider powering down devices when sensitive information is to be discussed in person
- ensure devices (and peripherals such as chargers) are with them at all times or locked in a secure storage facility
- be alert to suspicious behaviour and their surroundings in public so that people can’t see their screen or see them entering sensitive information
- practise caution when giving out their personal email address and phone number
- consider support limitations from the department due to signal strength, bandwidth and other factors.
Staff members are required to assume certain responsibilities for any device that contains the department’s information or directly connects to the department’s resources.
Staff must:
- only access department digital services and information while overseas from approved personal devices
- remove any department services and information from unapproved personal devices before travel
- change department login credentials before and after overseas travel in line with the department’s Password Standard (refer to Policies, strategies and standards)
- comply with all other provisions that relate to BYOD within this policy.
Additionally, if travelling to a high-risk location, staff must:
- only access Office 365 software via a web browser using an ‘incognito’ (private browsing) window. No desktop versions may be used or synced
- create a separate operating system user profile on the device for work-related purposes only. The profile must be secured via a secure authentication mechanism such as a strong biometric or a hardware security token like a Yubikey
- use an incognito browser window for all work to ensure that no cookies or login information or tokens are saved in your browser cache
- not access department digital services that require software to be installed on your device.
4.11 Responsible use of digital devices, services and information
Staff using the department’s digital devices, services and information overseas must do so appropriately and in accordance with local and Australian law.
Staff travelling overseas are subject to the laws and regulations of the country to which they are travelling. The department is not responsible for any illegal activity they undertake during this time.
Before travel, staff should review the Smartraveller website and any other relevant sites for information regarding local laws that may impact use of digital devices, services and information in overseas locations.
Refer to section 2 ‘Use digital devices, services and information responsibly’ for information regarding unlawful use within Australia.
The following are considered inappropriate use of department digital devices and services specific to overseas travel:
- taking any department digital devices or information overseas without relevant approval
- accessing any department digital services or information while overseas using either work or personal digital devices without relevant approval
- connecting approved digital devices to any overseas unsecured networks
- sharing department digital devices, services and information with unapproved users in any capacity
- using department digital devices overseas for purposes unrelated to business activities
- continuing to use department digital devices where a known or potential compromise occurs.
Refer to section 2 ‘Use digital devices, services and information responsibly’ for information regarding inappropriate use in all circumstances.
4.12 International roaming
The department’s standard mobile contracts incur high usage charges when used overseas. If you are taking an approved department mobile device overseas for use, use the international roaming option infrequently and economically. If you will require extended use of international roaming, contact the Mobile Devices team (mobilecomms@det.nsw.edu.au) for advice, additional information or assistance with mobile devices or contracts before travelling overseas.
4.13 Arriving back in Australia
On returning to the country, staff must:
- return all clean devices to ICT support staff for inspection and wiping
- confirm that passwords for any digital service used or accessed while overseas have been changed
- hand over any suspicious gifts or compromised devices to ICT support staff for examination
- report any suspected compromise of a device or other suspicious behaviour to EDConnect.
Record-keeping requirements
Refer to Functional Retention and Disposal Authority: FA387 (PDF 106 KB) for information on retaining and disposing of records.
Staff members need to preserve relevant business communications and ensure they comply with the department’s Records Management Program when deleting any electronic business communication.
Business communications, including email and other forms of messaging sent electronically become official records, subject to the State Records Act 1998 and the department’s Records Management Program. Electronic records are subject to the same standards of record keeping that apply to paper records.
Supporting tools, resources and related information
Read this document with reference to the following:
- Cyber Security policy
- Digital devices and online services for students policy
- Work health and safety (WHS) policy
- Child protection – responding to and reporting students at risk of harm policy
- Child protection – allegations against employees policy
- Code of conduct policy
- Travel on official business policy and Guidelines
- Excursions policy
- NSW Workplace Surveillance Act 2005
Policy contact
The Chief Information Security Officer monitors the implementation of this procedure, regularly reviews its contents to ensure relevance and accuracy, and updates it as needed.