This policy outlines different requirements for the use of PSDs based on the classification of information.

Transcription

1 POLICY OFFICE OF THE INFORMATION COMMISSIONER Use of portable storage devices 1. Purpose A Portable Storage Device (PSD) is a mobile device capable of storing and transferring digital information. Examples include portable USB or flash keys, memory cards, smartphones, tablets, laptops, notebooks, personal digital assistants, MP3 players, ipods, rewritable CDs, e- readers and any other device with inbuilt accessible storage. PSDs are becoming ubiquitous in the workplace. Many employees have at least a smartphone. 1 Agencies invariably have their own devices which are either issued to employees in the course of their employment (most usually a mobile telephone) or provided to employees on a temporary basis when business is conducted away from the employee s desk (usually laptops or workissued USB keys). In addition to storage, tablets and smartphones have some computing capabilities and have the potential to be incorporated as a commonplace tool for some core business activities. When employees use their personal PSDs in this way it is known as bring your own device (BYOD). BYOD includes home computers/laptops used under authorised working from home arrangements. This policy sets out permitted use of PSDs (including BYOD) at the Office of the Information Commissioner (OIC), based on the classification of OIC information. Its primary purpose is to ensure the security and integrity of OIC information and records Relevant authority A number of laws and policies are relevant to the use of PSDs at OIC, including: Right to Information Act 2009 (Qld) (RTI Act) Information Privacy Act 2009 (Qld) (IP Act) Public Records Act 2002 (Qld) Queensland Government Information Security Classification Framework 3 Parliamentary Services Network Security & ICT Device Usage Policy 4 OIC Code of Conduct. This policy also draws on the guidance on record-keeping obligations for mobile and smart devices provided by Queensland State Archives (QSA). 1 In April 2011, 37 per cent of the adult mobile user population in Australia was estimated to be using a smartphone - Australian Communications and Media Authority (ACMA) Communications report In particular, information received or created in performance of the Information Commissioner s functions. 3 Queensland Government Information Security Classification Framework. 4 Parliamentary Services Network Security & ICT Device Usage Policy. version 1

2 3. Application This policy applies to any person with access to the OIC network including OIC staff, temporary workers, contractors and service providers. Failure to comply with this policy is potentially a breach of OIC s Code of Conduct Classification of OIC information This policy outlines different requirements for the use of PSDs based on the classification of information. OIC is responsible for managing information which has been classified by other agencies as well as classifying information that it creates or sources from third parties. Parliamentary Services maintains the security of OIC s information network. Overall, OIC s network (shared drives, intranet, corporate , phones, faxes, printers) is secure and is suitable for storage of a range of confidential material such as staff-in-confidence, audit-in-confidence, legal-in-confidence etc. Importantly, cabinet-in-confidence material is classified as protected. This means that cabinetin-confidence material is not authorised to be stored or transferred on the OIC network. Cabinetin-confidence material must never be stored on PSDs. For the purposes of this policy 6, OIC records will fall into one of three categories inconfidence, unclassified or public. 4.1 In-confidence information Exempt information is information claimed by an agency or third party to be exempt as part of an external review under RTI Act or IP Act. 7 Exempt information should be classified by the originating agency or third party. Where a classification has not been applied, OIC will generally treat the information as in-confidence. OIC has practices in place to ensure that exempt information is stored securely in hard copy and only added to the OIC network for limited purposes (such as redaction) and with limited access (such as through Contact or g:drive permissions). Privacy complaint information and documents as defined in section 153(2) of the IP Act are also classified as in-confidence. Other information which will normally be classified as inconfidence includes much of the information created in the performance of: external review and other decision-making functions 8 performance monitoring functions Commit to our roles in public service Our role is to undertake our duties, and to give effect to the policies of the elected government, regardless of its political complexion. We will: e. adhere to the policies, organisational values and organisational documents of our employing agency. 6 Classification of information is based on the Queensland Government Information Security Classification Framework (QGISCF). See: OIC is currently reviewing and updating its more comprehensive document classification policy 7 Also known as matter in issue. 8 Sections 129 and 130 of the RTI Act.

3 support functions (Information and Assistance, Training and Stakeholder Relations) 10 budgetary functions 11 some non-legislative functions (e.g. managing human resources and workplace security). 4.2 Unclassified information Information assets that do not need special security controls are classed as unclassified. Unclassified information may include documents stored on the 'H drive' (e.g. staff members personal records, such as their resume) and working documents created for OIC support functions by Information and Assistance and Training and Stakeholder Relations Public information Public information is any document received or created by OIC which is normally accessible to the public including: publicly-available OIC resources research material such as cases and articles approved training material. 5. Types of PSDs 5.1 Corporate PSDs Corporate PSDs are those owned by OIC and include encrypted USB keys and OIC-issued smart phones 13 and laptops. Corporate PSDs are available to eligible staff on application from the Manager, Corporate and Executive Services (MCES). In general, officers will be eligible to use Corporate PSDs where there is a genuine business need to do so, such as conducting training or audits off-site. Only the OIC Executive is issued with smart phones on an ongoing basis. 14 Corporate PSD are managed by MCES who maintain a register of which officers Corporate PSDs are issued to and the dates of issuance and return. Once an officer is issued a Corporate PSD they are the sole officer responsible for that device and are not permitted to loan it to anyone, including other OIC staff. Officers who wish to use a Corporate PSD should contact MCES. Corporate PSDs should be used for work purposes only. The content on the Corporate PSD is subject to the laws and policies governing OIC records generally, including the Public Records Act If the PSD contains new content which constitutes a public record (see section 8), then this must be transferred to the appropriate folder in OIC s network before the PSD is returned to MCES. No user- generated content must be left on the PSD before its return to MCES. 9 Section 131 of the RTI Act. 10 Section 128 and 132 of the RTI Act. 11 Section 133 of the RTI Act. 12 Section 128 and 132 of the RTI Act. 13 Currently iphones. 14 OIC-issued smart phones cannot be borrowed or shared amongst officers.

4 5.2 BYOD OIC does not generally encourage the use of BYODs. However, OIC acknowledges that BYODs have features that are not available from desktop PCs, and that Corporate PSDs do not always meet business needs. For example, the corporate-issued laptop does not have activated or text messaging capability. OIC also permits limited working from home arrangements. OIC also acknowledges that it will sometimes be necessary for officers to transfer personal information and/or personal records to their own devices. However, the use of BYOD is strictly limited by the terms of this policy and the use of BYOD may be subject to monitoring to ensure compliance with this policy. The BYOD owner will be wholly responsible for all costs associated with the device, including repairs, maintenance and upgrades. The BYOD owner must also accept responsibility for the consequences of use of the device for work purposes. This can include a requirement that all files, personal and work related, be wiped remotely from the device in the event of loss or theft (see security requirements below). Registered BYOD Officers may apply to MCES to use BYODs for work purposes. In general, this will be limited to the use of home computers/laptops, smart phones or tablets to assist with conducting genuine OIC business. For example, enabling officers to work part-time at home or to have access to OIC on their smartphone, or permitting tablets to be connected to the OIC network to transfer meeting notes and other documents. Corporate PSDs should be used in preference to BYOD wherever this is possible. Officers should not use their own USB keys for work purposes but should instead use a corporate-issued USB key. MCES will maintain a register of approved BYOD arrangements. To apply for registration, officers should contact MCES. The capacity exists for officers to access work accounts over the internet which can enable the officer to access their work s on a BYOD. Access to web-mail must be organised through MCES. Security requirements for registered BYOD If an employee is granted permission to use BYOD for work purposes, the following security measures are mandatory. If officers need assistance with installing and utilising the required security functions on their BYOD, assistance should be sought of MCES at the time of registration. If the intended BYOD does not have appropriate security capacities, registration may not be granted. If the device is a smart phone or tablet: The device must have password (or equivalent) locking functionality. The password (or equivalent) must be enabled at all times. The device must have current virus and malware protection. The device must have the capacity to be remotely located and the data on the device remotely wiped.

5 All OIC data and information must be stored in a folder that has encryption capability and individual password protection. The password for the folder must be different to that of the device itself. The device must have software that securely wipes files. 15 If the device is any other PSD: Access to the device must be password locked (or equivalent) Any OIC data and information must be stored in a folder has encryption capability and individual password protection, unless the device or folder is incapable of encryption, in which case the information is encrypted before transfer. The device must have software that securely wipes files. If the device is an officer s home computer/laptop: The computer must have current virus and malware protection. All OIC documents and records must be stored in a password-protected location on the computer. The computer must have software installed that securely wipes files. In all cases, (and specifically including unregistered BYOD): before a device is connected to the OIC network any telecommunications, Bluetooth and/or Wi-Fi connections must be switched-off (such as activating flight-mode ); and once connected, officers must comply with all on-screen instructions concerning security and virus threat protection. If there is a notification that a virus has been found on the PSD, do not access any files on the device. Contact IT immediately on x67400 and advise them of what has happened. Do not close any open windows or the notification message IT will want to know exactly what they say. File sharing There are a number of mobile applications (apps) that facilitate remote sharing of files on the device. These include the variations of: one device acting as a server or client to another device peer to peer or P2P one device sharing the internet connection of another device tethering transfer of files between devices through physical contact 16. File sharing apps are a potential security hazard. Once they are set up, the apps are designed to work quietly in the background and the device owner may not even be aware of an individual exchange. Officers are responsible for ensuring that OIC information is not shared with any other device. Preferably, or whenever practicable, OIC data on a BYOD should only be accessed with the device s Bluetooth and/or Wi-Fi functionality switched off (flight mode). 15 There are numerous free or affordable subscription software available from the internet. Examples include Ccleaner, Erase, Disk Wipe, Avast, and Malware Bytes. The software must be specific to the device s operating system and type of drive. 16 For example the popular Bump app for Android and ios devices.

6 Unsecured wireless networks Most mobile devices have Wi-Fi capability. There is an increasing prevalence of mobile hotspots sites that provide free or for a fee 17 internet access using Wi-Fi technology. Mobile hotspots can be found at restaurants, food courts, libraries, transport hubs, public transport and increasingly public spaces such as malls and parks. 18 If the wireless network is unsecured as it invariably will be with Wi-Fi hotspots, and a mobile device is connected to the network, the device is vulnerable to unauthorised access and information sent using the Wi-Fi connection susceptible to interception. Accordingly, a BYOD must never connect to an unsecured wireless network when the device has OIC files on it. Unregistered BYOD Officers may only use their own Unregistered BYOD, without the permission of MCES, to transfer public or limited 19 unclassified information. Unregistered BYODs are not to be connected to OIC computers or the OIC network for any other purpose. Rewritable CDs and DVDs are classed as unregistered BYOD. 6. Permission to transfer The table below summarises which categories of OIC information are permitted to be transferred to PSDs. Corporate PSDs Registered BYOD Unregistered BYOD in-confidence information Permission from MCES required Never unclassified information No permission needed once device has been registered but limited to personal information and/or records only. public information (purely personal information and/or records must not be transferred to corporate PSDs). No permission needed 17 Sometime the fee consists of the user having to purchase a product from the Wi-Fi provider in order to obtain log on credentials. 18 Officers should not be accessing OIC information and records where there is a vulnerability to shoulder surfing - someone situated behind you seeing both what is on your device and your use of the device. 19 The only records that can be transferred to an unregistered BYOD are the Officer s personal files which should commonly be stored on the H: drive.

7 7. MCES permission OIC officers only may transfer in-confidence information to a Registered BYOD with permission. Only MCES, the Information Commissioner, Privacy Commissioner, RTI Commissioner or First Assistant Information Commissioner may give permission under this section. Permissions may be: granted to an individual officer or team (for example, to provide training outside the office) given for a specific event or time period (for example, to conduct a performance review) subject to special conditions. It is critical that officers observe the terms of the relevant permission before transferring any inconfidence information to a PSD and that the security requirements for registered BYODs set out in section 5.2 of this policy are met. 8. Record keeping PSDs are to be used as a temporary business tool only. OIC information must remain on the device for the shortest practicable time. OIC staff should ensure that any public record created or received on a PSD is transferred to the relevant OIC recordkeeping system as soon as practicable 20. Officers who copy and edit documents on a PSD or BYOD must reintroduce those documents back into OIC s recordkeeping system. How to identify public records? Not all information that is created or stored on PSDs will qualify as a public record. Using the QSA Checklist 21 may assist in identifying public records which an officer will need to transfer from a PSD to the relevant OIC recordkeeping system. QSA Checklist Mobile and smart devices may contain public records if: they contain information applicable to the purpose and works of the public authority that is unique and not available anywhere else (e.g. not duplicated from websites or recordkeeping systems) they contain a primary source of evidence of a public authority s policies, business, decisions, mission, etc. they are used in relation to the public authority s work and generate evidence of work (e.g. notes added to meeting minutes, photographs taken to document damaged roads) use is authorised by the public authority they contain information that is required as a business need. 20 See 5.1 earlier. 21 At the time of publication of this policy the checklist and associated decision tree was drawn from QSA s draft guideline on mobile and smart devices which has been distributed for consultation, but has not yet been published.

8 9. Loss or theft of PSD Loss of public records stored on PSDs (whether copies or originals) present the potential for considerable recordkeeping and privacy risks. Loss of a Corporate PSD or Registered BYOD must be reported immediately to MCES. If the device contained in-confidence information, this must be reported immediately to the Information Commissioner. OIC may take a number of steps to mitigate any damage that might result from the loss of information, including (but not limited to): activating any mobile device management solutions installed on the device (e.g. remote wipe and/or remote lock ) notifying individuals of loss of personal information; and submitting notification of lost public records form to QSA. 10. Audit The Information Commissioner is authorised to monitor compliance with Parliamentary Services Network Security & ICT Device Usage Policy. This includes instituting policies for the conduct of OIC business on PSDs, including Registered BYOD. 11. Disposal Information Once information on a Corporate PSD or Registered BYOD is no longer required, including for recordkeeping purposes, the information should be wiped from the device 22. It is the officer s responsibility to securely wipe information off their BYOD or their home computer or laptop. Information can simply be deleted from Corporate PSDs. MCES will regularly wipe the data storage of Corporate PSDs. Devices Once a Corporate PSD is no longer required by the OIC, or no longer works properly, the device must be destroyed in accordance with Information Standard 13 (IS13) - Procurement and Disposal of ICT Products and Services. This must be carried out with MCES supervision in line with QGISSF requirements and recorded in the PSD register. 12. Last updated This policy was last updated on 6 March Simply deleting data during everyday use doesn't remove the data from the drive; instead, it merely erases the pointer to that data. Deleted data can still be recovered using simple software tools. To remove data permanently, specialist software literally writes gibberish over the existing data.

9 13. Review cycle Due to the diversity and frequent release of new devices, OIC will continually review and reevaluate recordkeeping solutions developed for PSDs. Accordingly, this policy will be reviewed at least annually.