❓ A WA parliamentary question on notice regarding policies and procedures for restricting unauthorised access to mobile devices and their disposal within various agencies under the Attorney General's portfolio. The responses reveal varying levels of security measures and disposal methods.
AnsweredQoN 3184Legislative Assembly
QuestionView source ↗
In respect of the Minister’s portfolio responsibilities for any of their departments, agencies, government trading enterprises or boards, I ask: (a) Are there any policies or procedures in place for restricting unauthorised access to mobile devices (mobile phones, tablets and laptops): (i) If so, what are they; and (ii) If not, why not; (b) How many mobile devices have been disposed of in the following financial years and what was their disposal method (i.e. at auction): (i) 2015-16; (ii) 2016-17; and (iii) 2017-18; and (c) Were any of the mobile devices in (b)(i)-(iii) used to store sensitive or confidential information: (i) If so, what type of sensitive or confidential information; and (ii) If so, what measures are put in place to ensure this information is not retained on the hard-drive of the device upon it's disposal?
AnswerView source ↗
Answered
14 August 2018
Response time
9 days
THE CORRUPTION AND CRIME COMMISSION
(a) Yes
(i) The CCC has Use of Information Technology (policy and procedure), Information Security policy and Laptop Security Procedure.
(ii) Not Applicable
(b) (i) One laptop - hard drive was extracted and mechanically destroyed.
(ii) Seven laptops - hard drives were extracted and mechanically destroyed.
(iii) 126 mobile phones - mechanically destroyed, and 19 laptops - hard drives were extracted and mechanically destroyed.
(c) Yes.
(i) Mobile devices may contain CCC official information.
(ii) All hard drives are extracted and mechanically destroyed.
DEPARTMENT OF JUSTICE
(a) Yes.
(i) The Department of Justice (the Department’s) Computer and Telecommunications Facilities Policy stipulates that staff must ensure the physical safety and security of portable equipment, use password protection and report any adverse events.
(ii) Not applicable.
(b) The Department is unable to provide disposal figures for mobile phones and iPads. Department of Justice figures for laptops as disposed through either auction or being recycled are below;
(i) 2015–16: 103 laptops
(ii) 2016–17: 61 laptops
(iii) 2017–18: 32 laptops
(c) Yes
(i) personal, medical, security, legal information for example.
(ii) All software and data in mobile devices is completely removed before disposal by overwriting the media at least three times in its entirety with a random pattern followed by a read back for verification. This method is compliant with the State Records Commission Standard 8 – Digital Recordkeeping and SRO Guideline – Sanitising Digital Media and Devices.
EQUAL OPPORTUNITY COMMISSION
(a) Yes
(i) Physical access is restricted and access is authenticated via log on credentials and valid password;
(ii) Not applicable
(b) (i-iii) Nil
(c) No
(i-ii) Not applicable
THE LEGAL PRACTICE BOARD INCLUDING THE LEGAL PROFESSION COMPLAINTS COMMITTEE (WHICH IS A COMMITTEE OF THE BOARD)
(a) Yes.
(i) Any mobile device to be used by a staff member and taken offsite must be approved by their supervisor or Executive Director. Staff requiring use of a mobile device must send their requests to IT division. Any mobile device used by a staff member is logged and signed out in a borrowers book. Devices are signed back in and checked by the IT division. All mobile devices are password or pin number protected according to the Board’s Password Standard Policy. Mobile devices are used to log into the Board’s Citrix network using network logins and all work must be completed within the Citrix network and not saved to the mobile devices restricting unauthorised access to private and confidential information.
All staff using a mobile device must adhere to the Board’s Computer Usage Policy (Off-site) and ensure:
(b) (i) 2015-16: 1 - waste collection. Disk wiping procedures to standard DoD 5220.00-M ECE method were used prior to disposal.
(ii) 2016-17: 11 - waste collection. Disk wiping procedures to standard DoD 5220.00-M ECE method were used prior to disposal.
(iii) 2017-18: 0
(c) No. See above regarding disk wiping procedures.
LEGALAID WA
(a) Yes
(i) Security measures including secure logon or passcodes have been implemented on all mobile devices to restrict unauthorised access.
(ii) Not applicable
(b) Depending upon their age and condition mobile devices are either disposed for recycling or destroyed.
(i) 27 devices
(ii) 17 devices
(iii) 33 devices
(c) Sensitive information is not stored on mobile devices unless encryption technologies have been used to secure the information. Corporate policy states that sensitive information should not be stored on any mobile devices such as laptops, tablets or mobile phones unless approved encryption technologies have been used to secure the information.
(i) Not applicable
(ii) All mobile devices are sanitised to remove information prior to disposal or destruction.
OFFICE OF THE COMMISSIONER FOR CHILDREN AND YOUNG PEOPLE
(a) CCYP has an Acquisition and use of Attractive and Portable Assets/Mobile Devices Policy. Phones, laptops and tablets not being used are stored in a locked cabinet and staff sign out the item when being used offsite.
(b) (i) 0
(ii) 0
(iii) 0
(c) N/A
OFFICE OF THE DIRECTOR OF PUBLIC PROSECUTIONS
(a) (i) The ODPP has the following policies regarding corporate and personal mobile devices:
(ii) N/A.
(b) (i) – (iii) No Mobile Devices have been disposed of for the inclusive period 2016 - 18.
(c) (i) – (ii) N/A.
OFFICE OF THE INFORMATION COMMISSIONER
(a) No.
(i) Not applicable.
(ii) The OIC does not supply mobile phones. We have two laptops and a tablet. Any staff member can use them as required.
(b) (i)-(iii) Nil.
(c) Not applicable.
SOLICITOR GENERALS OFFICE
(a) Yes;
(i) Mobile devices are allocated specifically to the Solicitor General and the research assistant. All have password protection, are kept in secure office when not in use;
(ii) not applicable;
(b) (i) nil;
(ii) nil;
(iii) one. Faulty device returned to supplier.
(c) Yes;
(i) emails with attachments of court documentation and legal advice;
(ii) device securely wiped before handover to supplier.
STATE SOLICITORS OFFICE
(a) Yes
(i) If not allocated to a member of staff mobile devices are physically secured in a secured storeroom which is accessible only by approved State Solicitor's Office personnel
(ii) N/A
(b) (i) – (ii) None
(iii) 55. Sold to public sector employees through a competitive process in line with the relevant policy for the disposal of goods.
(c) Yes
(i) Work related emails and some working documents
(ii) Prior to disposal all mobile devices undergo a process of three consecutive security wipes.
(a) Yes
(i) The CCC has Use of Information Technology (policy and procedure), Information Security policy and Laptop Security Procedure.
(ii) Not Applicable
(b) (i) One laptop - hard drive was extracted and mechanically destroyed.
(ii) Seven laptops - hard drives were extracted and mechanically destroyed.
(iii) 126 mobile phones - mechanically destroyed, and 19 laptops - hard drives were extracted and mechanically destroyed.
(c) Yes.
(i) Mobile devices may contain CCC official information.
(ii) All hard drives are extracted and mechanically destroyed.
DEPARTMENT OF JUSTICE
(a) Yes.
(i) The Department of Justice (the Department’s) Computer and Telecommunications Facilities Policy stipulates that staff must ensure the physical safety and security of portable equipment, use password protection and report any adverse events.
(ii) Not applicable.
(b) The Department is unable to provide disposal figures for mobile phones and iPads. Department of Justice figures for laptops as disposed through either auction or being recycled are below;
(i) 2015–16: 103 laptops
(ii) 2016–17: 61 laptops
(iii) 2017–18: 32 laptops
(c) Yes
(i) personal, medical, security, legal information for example.
(ii) All software and data in mobile devices is completely removed before disposal by overwriting the media at least three times in its entirety with a random pattern followed by a read back for verification. This method is compliant with the State Records Commission Standard 8 – Digital Recordkeeping and SRO Guideline – Sanitising Digital Media and Devices.
EQUAL OPPORTUNITY COMMISSION
(a) Yes
(i) Physical access is restricted and access is authenticated via log on credentials and valid password;
(ii) Not applicable
(b) (i-iii) Nil
(c) No
(i-ii) Not applicable
THE LEGAL PRACTICE BOARD INCLUDING THE LEGAL PROFESSION COMPLAINTS COMMITTEE (WHICH IS A COMMITTEE OF THE BOARD)
(a) Yes.
(i) Any mobile device to be used by a staff member and taken offsite must be approved by their supervisor or Executive Director. Staff requiring use of a mobile device must send their requests to IT division. Any mobile device used by a staff member is logged and signed out in a borrowers book. Devices are signed back in and checked by the IT division. All mobile devices are password or pin number protected according to the Board’s Password Standard Policy. Mobile devices are used to log into the Board’s Citrix network using network logins and all work must be completed within the Citrix network and not saved to the mobile devices restricting unauthorised access to private and confidential information.
All staff using a mobile device must adhere to the Board’s Computer Usage Policy (Off-site) and ensure:
(b) (i) 2015-16: 1 - waste collection. Disk wiping procedures to standard DoD 5220.00-M ECE method were used prior to disposal.
(ii) 2016-17: 11 - waste collection. Disk wiping procedures to standard DoD 5220.00-M ECE method were used prior to disposal.
(iii) 2017-18: 0
(c) No. See above regarding disk wiping procedures.
LEGALAID WA
(a) Yes
(i) Security measures including secure logon or passcodes have been implemented on all mobile devices to restrict unauthorised access.
(ii) Not applicable
(b) Depending upon their age and condition mobile devices are either disposed for recycling or destroyed.
(i) 27 devices
(ii) 17 devices
(iii) 33 devices
(c) Sensitive information is not stored on mobile devices unless encryption technologies have been used to secure the information. Corporate policy states that sensitive information should not be stored on any mobile devices such as laptops, tablets or mobile phones unless approved encryption technologies have been used to secure the information.
(i) Not applicable
(ii) All mobile devices are sanitised to remove information prior to disposal or destruction.
OFFICE OF THE COMMISSIONER FOR CHILDREN AND YOUNG PEOPLE
(a) CCYP has an Acquisition and use of Attractive and Portable Assets/Mobile Devices Policy. Phones, laptops and tablets not being used are stored in a locked cabinet and staff sign out the item when being used offsite.
(b) (i) 0
(ii) 0
(iii) 0
(c) N/A
OFFICE OF THE DIRECTOR OF PUBLIC PROSECUTIONS
(a) (i) The ODPP has the following policies regarding corporate and personal mobile devices:
(ii) N/A.
(b) (i) – (iii) No Mobile Devices have been disposed of for the inclusive period 2016 - 18.
(c) (i) – (ii) N/A.
OFFICE OF THE INFORMATION COMMISSIONER
(a) No.
(i) Not applicable.
(ii) The OIC does not supply mobile phones. We have two laptops and a tablet. Any staff member can use them as required.
(b) (i)-(iii) Nil.
(c) Not applicable.
SOLICITOR GENERALS OFFICE
(a) Yes;
(i) Mobile devices are allocated specifically to the Solicitor General and the research assistant. All have password protection, are kept in secure office when not in use;
(ii) not applicable;
(b) (i) nil;
(ii) nil;
(iii) one. Faulty device returned to supplier.
(c) Yes;
(i) emails with attachments of court documentation and legal advice;
(ii) device securely wiped before handover to supplier.
STATE SOLICITORS OFFICE
(a) Yes
(i) If not allocated to a member of staff mobile devices are physically secured in a secured storeroom which is accessible only by approved State Solicitor's Office personnel
(ii) N/A
(b) (i) – (ii) None
(iii) 55. Sold to public sector employees through a competitive process in line with the relevant policy for the disposal of goods.
(c) Yes
(i) Work related emails and some working documents
(ii) Prior to disposal all mobile devices undergo a process of three consecutive security wipes.
Explore WA Government Data
Search the full archive in the free dashboard, or query programmatically via API.
Explore more
Government Gazette
Appointments, regulatory notices, planning changes.
Hansard
Debates, questions, speeches and sentiment.
Tabled Papers
Reports and documents tabled in Parliament.
Committees
Committee profiles and recent reports.
Regulations
Subsidiary legislation with filters and summaries.
Bills
Proposed laws and parliamentary progress.
Acts
Current WA legislation and summaries.
Explanatory Memoranda
Bills with EMs (text/PDF) available.
Members
MP profiles, party breakdown and rankings.
Pollie Rankings
Data-driven rankings across 19 categories.
Amendment Chains
Track how schemes and regulations evolve over time.