DPC/G4.11 Government guideline on cyber security

ISMF Guideline 11Departing personnel BACKGROUND

Agencies are required to take steps to manage personnel departures from the organisation. Additional measures are required when a clearance subject is preparing to leave the organisation. As the SA Government is privy to sensitive information, it is of great importance that employees do not have access to this information when they leave the public sector or even when their positions changes within the public sector. In certain circumstances, even an intra-agency or intra-departmental transition may be considered a personnel departure due to the sensitivities and access levels of information that the employee or contractor is privy to. This guideline supports implementation of ISMF Policy Statement 11.

Agencies should ensure that staff who have access to security classified resources and their managers, understand and accept their day to day responsibilities for managing the protection of the resources under their control. Access to resources should be no wider than is required for the efficient conduct the current business at hand and should be restricted to those who have authorised access. Several measures need be undertaken to ensure that employees do not have access to any information for which they do not have a legitimate ‘need to know’ as soon as their employment is concluded. This guideline outlines cyber security considerations that should be addressed in order to provide continued assurance that agency information assets are being used in a fashion that maintains confidentiality, integrity and availability of resources when personnel leave the organisation (or business unit, directorate etc.).

GUIDANCE

Prior to separation an agency is to:

- Remind the employee of his or her continuing personal obligations under the Criminal Law Consolidation Act 1935 (SA), Crimes Act 1914 (Cth), Public Sector Act 2009 (SA)and other relevant legislation

- Seek the employee’s signed recognition of that continuing obligation

- Debrief separating staff who have access to:

o Secret or top secret information or resources

o Code-word information

o Security classified information and associated resources

The agency should have similar procedures in place for contracted service providers and temporary personnel.

Information Security Management Framework

Agencies are responsible for developing and implementing policies and procedures to ensure the security of persons, assets and information when personnel leave the organisation. These policies and procedures must be developed in accordance with the minimum requirements of the Protective Security Management Framework [PSMF], Australian Government Protective Security Policy Framework [PSPF] and the Information Security Management Framework [ISMF] as outlined in the tables below.

TERMINATION RESPONSIBILITIESEstablish and maintain procedures to manage employee departures/moves

Applicability Relevant ISMF policy and standard (consult ISMF for full suite of controls)

ALL

Policy Statement 11

Responsible Parties shall implement and maintain a procedure or set of procedures to effectively manage departing employees or the withdrawal of assigned responsibilities for employees, contractors and other third party users.

ISMF Standard 27

Each Responsible Party must have a documented procedure for performing employment termination and/or for the withdrawal of assigned responsibilities resulting from a change in employment status for employees, contractors and other third party users.

RECOVER/RETAIN INFORMATION ASSETSEnsure that organisational information assets (including information itself) is retained

In general, the Business Owner or their appointed information custodian should authorise the removal of equipment, information or software. Procedures should be established to facilitate the approval process.

Applicability Relevant ISMF standard (consult ISMF for full suite of controls)

ALL ISMF Standard 46

Responsible Parties must ensure that information assets, including but not limited to: physical assets including Portable Storage Devices, software and other communications devices are not removed from premises without prior authorisation.

Government guideline on cyber securityDeparting personnel v2.1

Page 2 of 5

ISMF Guideline 11

SECURE DISPOSAL AND/OR REUSE OF RETURNED ASSETSAssets returned by departing personnel will require a certain level of media sanitisation

Agency standards and procedures must address the measures to be taken to ensure that media is cleared of sensitive information prior to being used for another purpose. Sanitisation of devices and media should occur after the Official Records have been appropriately archived or disposed of, specifically:

Agencies shall observe the requirements for the disposal of Official Records in accordance with a records disposal schedule approved by State Records pursuant to section 23(1) of the State Records Act 1997 (SA).

State Records Act 1997 (SA)Section 23(1)

An agency must not dispose of official records except in accordance with a determination made by the Manager with the approval of the Council.

Applicability Relevant ISMF standards (consult ISMF for full suite of controls)

ALL

ISMF Standard 45Agencies shall develop standards and procedures for the safe disposal and/or re-issue of ICT infrastructure that has been used to store Agency information assets.

ISMF Standard 60

Agencies must implement formal procedures, including supplier obligations for adherence to such procedures, for the sanitisation and/or secure and safe disposal of media that is no longer required, in alignment with the technical controls described in the Australian Government ISM.

REVOKE ACCESS ENTITLEMENTSAccess to agency ICT and physical resources should be revoked at the time of personnel departure

The access rights of all employees, contractors and third party users to information and information processing facilities should be removed upon termination of their employment, contract or agreement, or adjusted upon change.

Applicability Relevant ISMF standards (consult ISMF for full suite of controls)

ALL

ISMF Standard 29

Each Responsible Party shall have an established and logged procedure for the withdrawal and/or modification of access rights for departing employees, contractors and third-party users.

ISMF Standard 77Formal registration and de-registration procedures shall be implemented for granting and revoking access to all information systems and services.

ISMF Standard 80Responsible Parties shall be conduct periodic reviews of users’ access rights so as to maintain effective control over access to data and information services.

Government guideline on cyber securityDeparting personnel v2.1

Page 3 of 5

ISMF Guideline 11

ADDITIONAL CONSIDERATIONS

Responsible Parties should ensure that important knowledge or operational skills have been transferred to other resources prior to departure of the employee and/or contractor.

Agencies should remind their staff of their obligations under the Public Sector Act 2009 (SA) and the Code of Ethics for the South Australian Public Sector including the requirements relating to the handling of Official Information and the use of government/public resources.

The AS/NZS ISO/IEC 27002:2006 standard also provides guidance on page 28 when it states that “in cases of management-initiated termination: disgruntle employees, contractors or third party users may deliberately corrupt information or sabotage information processing facilities. In cases of persons resigning, they may be tempted to collect information for future use.”

When accumulating media for disposal, consideration should be given to the aggregation effect, which may cause a large quantity of non-sensitive information to become sensitive.

Damaged devices containing sensitive data may require a risk assessment to determine whether the items should be physically destroyed rather than sent for repair or discarded.

This guideline does not aim to provide the reader with all of the controls pertaining to personnel departure. It is merely an overview of the information provided in applicable government cyber security policy and the AS/NZS ISO/IEC 27002 Standard. It is highly recommended that agencies review these documents in their entirety. The individual requirements of agencies will have direct bearing on what measures are implemented to mitigate identified risk(s).

Government guideline on cyber securityDeparting personnel v2.1

Page 4 of 5

ISMF Guideline 11

REFERENCES, LINKS & ADDITIONAL INFORMATION

DPC/F4.1 Government of South Australia Information Security Management Framework [ISMF] PC030 Government of South Australia Protective Security Management Framework [PSMF] AS/NZS ISO/IEC 27002:2006 Standard Code of Ethics for the South Australian Public Sector Australian Government Information Security Manual [ISM] Australian Government Protective Security Policy Framework [PSPF]

Document Control

ID DPC/G4.11Version 2.1Classification/DLM PUBLIC-I1-A1Compliance DiscretionaryOriginal authorisation date February 2012Last approval date September 2017Review date September 2018

Licence

With the exception of the Government of South Australia brand, logos and any images, this work is licensed under a Creative Commons Attribution (CC BY) 4.0 Licence . To attribute this material, cite the Department of the Premier and Cabinet, Government of South Australia, 2017.

ISMF Guideline 11