❓ A WA parliamentary question on notice regarding policies and procedures for restricting unauthorised access to mobile devices and their disposal within the Transport, Planning, and Lands portfolios. The responses detail security measures and disposal methods across various departments.
AnsweredQoN 3179Legislative Assembly
QuestionView source ↗
In respect of the Minister’s portfolio responsibilities for any of their departments, agencies, government trading enterprises or boards, I ask: (a) Are there any policies or procedures in place for restricting unauthorised access to mobile devices (mobile phones, tablets and laptops): (i) If so, what are they; and (ii) If not, why not; (b) How many mobile devices have been disposed of in the following financial years and what was their disposal method (i.e. at auction): (i) 2015-16; (ii) 2016-17; and (iii) 2017-18; and (c) Were any of the mobile devices in (b)(i)-(iii) used to store sensitive or confidential information: (i) If so, what type of sensitive or confidential information; and (ii) If so, what measures are put in place to ensure this information is not retained on the hard-drive of the device upon it's disposal?
AnswerView source ↗
Answered
22 August 2018
Responded by
Minister for Transport; Planning; Lands
Response time
13 days
Department of Planning, Lands and Heritage
(a) Yes
(i) Prior to the formation of the Department of Planning, Lands and Heritage (DPLH), separate policies were in place for each of the former agencies. DPLH is in the process of developing a single policy.
Procedures are in place to restrict unauthorised access to mobile devices. For mobile phones and tablets, access to the device is subject to the vendors’ PIN controls, and access to corporate information through the device is subject to corporate access and password controls. Laptops are subject to corporate access and password controls, and digital certificates to authenticate the device on the corporate network.
(ii) Not applicable
(b)
Former Department of Planning
(i) 36 – Donated to TADWA and eWaste
(ii) 67 – Donated to TADWA and eWaste
(iii) Not applicable
Former Department of Lands
(i)-(ii) Nil
(iii) Not applicable
Department of Planning, Lands and Heritage
(i)-(ii) Not applicable
(iii) 46 – 16 to auction and Mobile Munster; 13 auctioned internally; 17 eWaste
Western Australian Planning Commission
(i)-(iii) Nil
(c)
(i) Potential emails
(ii) Each mobile phone being disposed of is wiped clean using the vendor’s standard process to return the device to factory settings, clearing all local content on the device.
Department of Transport
(a) Yes
(i) All corporate mobile devices that have corporate information have the relevant security settings applied to them based on DoT’s relevant policies and procedures. These security settings include restricted access through passwords/PIN codes, encryption of data, etc. These security settings are managed and enforced via a Mobile Device Management (MDM) tool. DoT currently uses MobileIron as its MDM tool. For other portable devices such as laptops, access is restricted through passwords; data stored on these device’s hard-drives are encrypted using Microsoft Bitlocker.
(ii) Not applicable
(b)
(i) 274, auction, written off or returned to the financier (leased)
(ii) 156, auction, written off or returned to the financier (leased)
(iii) 113, auction, written off or returned to the financier (leased)
(c)
(i) Potential sensitive emails and contact details
(ii) DoT treats all assets in the same manner when ensuring data security. Each asset has the hard drive removed and that hard drive is then given a secure three pass wipe with DiskClon 2.0.5.2. If deemed not suitable or there are any corruptions with the hard drive it is instead securely destroyed via a shredding method so that it can be recycled thereafter.
Main Roads Western Australia
(a) Yes
(i) Main Roads owned Windows 10 tablets and laptops are running the Main Roads Standard Operating Environment and are secured and managed by System Centre Configuration Manager, which means a valid username and password is required to access the device. Mobile devices and tablets owned by Main Roads running Windows mobile, Android Operating Systems or Apple iOS are enrolled in Mobile Device Management product (Microsoft Intune) which enforces a passcode or password on the device and also enforces a device compliance policy.
(ii) Not applicable
(b)
(i) 337, donation, recycling or auction
(ii) 358, donation, recycling or auction
(iii) 478, donation, recycling or auction
(c)
(i) Emails
(ii) There are procedures in place to wipe all devices, including mobile devices, of all information prior to disposal. If lost or stolen, these devices are secured, but they can be remotely wiped by the MDM product.
Public Transport Authority
(a) Yes
(i) Access to mobile phones and tablets is controlled by a device passcode and access to laptops is controlled by username and password.
(ii) Not applicable
(b)
(i) 194, environmental recycling through vendors available under the CUAWA S2016 who provide sanitisation and destruction services of all storage media.
(ii) 180, environmental recycling through vendors available under the CUAWA S2016 who provide sanitisation and destruction services of all storage media.
(iii) 359, environmental recycling through vendors available under the CUAWA S2016 who provide sanitisation and destruction services of all storage media.
(c)
(i) Potential emails
(ii) The Public Transport Authority has measures in place to ensure any sensitive or confidential information is not retained on storage media when they are disposed of. This process is undertaken by vendors under the CUAWA S2016 who provide a sanitisation and destruction service as well as an erasure report with each disposal collection.
Mid West Ports Authority
(a) Yes
(i) Telephone Policy and Telephone Procedure
(ii) Not applicable
(b)
(i) 26, sent to approved agency for recycling
(ii) 17, sent to approved agency for recycling
(iii) 11, sent to approved agency for recycling
(c)
(i) Emails
(ii) Devices are reset to factory settings before disposal
Kimberley Ports Authority
(a) Yes
(i) Included in the Mobile Telephone Policy and the Computer and Communications Policy regarding physical security and password authentication.
(ii) Not applicable
(b)
(i) Nil
(ii) 4 – destroyed
(ii) 8 – Destroyed
(c)
(i) Emails
(ii) All mobile phones and hard drives are physically destroyed prior to disposal.
Southern Ports Authority
(a) Yes
(i) Laptops are domain managed with password policies and mobile phones and tablets are secured by PIN codes.
(ii) Not applicable
(b)
(i) 8, purchased by staff, destroyed or recycled
(ii) 8, purchased by staff, destroyed or recycled
(iii) 3, purchased by staff
(c)
(i) Board/CEO/ELT level information
(ii) Mobile devices that are not damaged are restored to factory defaults. Hard disks in laptops are removed and destroyed.
Fremantle Ports Authority
(a) Yes
(i) Mobile Device Policy and Mobile Device Guidelines
(ii) Not applicable
(b)
(i) 3, returned to supplier
(ii) 61, returned to supplier
(iii) 52, returned to supplier
(c) No
(i) Not applicable
(ii) Mobile phones and tablets are wiped prior to disposal, and for certified data sanitisation of laptops occurs prior to disposal.
Pilbara Ports Authority
(a) Yes
(i) i.PPA Information Security Policy and PPA ICT Acceptable Usage and ICT Mobile Computing Devices Procedure
(ii) Not applicable
(b)
(i)-(iii) Nil
(c) Not applicable
Landcorp
(a) Yes
(i) Enterprise Mobility Policy, Mobile Device Guidelines, Phone Usage Policy and Information Systems Usage Policy.
(ii) Not applicable
(b)
(i) 7 laptops and 1 phone decommissioned and destroyed.
(ii) 7 tablets and 6 phones sold by private treaty.
(iii) 9 mobile phones decommissioned wiped to factory settings and disposed via a third party recycling program; 67 laptops sold by private treaty; and 2 laptops decommissioned and destroyed.
(c)
(i) Business documents
(ii) The hard-drive on sold devices is reformatted and reimaged with a new Operating System. The hard-drive on a decommissioned device is wiped before being destroyed by a third party recycling company.
Landgate
(a) Yes
(i) ITC Mobile Device Rules and Acceptable Use Policy. All mobile devices are added to the Mobile Device Management system (Maas360). It is mandatory they are password protected. Laptops are imaged and password protected within the network.
(ii) Not applicable
(b)
(i) No record
(ii) Nil
(iii) 4 phones – recycled; 6 tablets disposed of with Total Green Recycling.
(c)
(i) Emails
(ii) Apple IDs are reset and email accounts deleted by the custodian. The Asset Management Team perform a factory reset before disposal. A remote wipe can be carried out through the Mobile Device Management system (Maas360) by the Asset Management Team or Service Desk team.
Metropolitan Redevelopment Authority
(a) Yes
(i) The MRA has an Information Services Policy 9.06 Mobile Device Management which includes provisions for Mobile Device Management software to control mobile devices.
(ii) Not applicable
(b) All mobile phones/tablets disposals are undertaken using secure destruction (shredding) whereas Laptop HDD’s have undergone data sanitization.
(i) 17
(ii) 25
(iii) 105
(c)
(i) Emails
(ii) All mobile devices were manually reset to factory default settings, ensuring data is erased from the mobile device. On disposal the recycling company disposes via the a bulk shredding method i.e. Physical destruction of mobile devices. On destruction the recycling company provides the MRA with an IT asset report and recycling Certificate. This Certificate guarantees that the equipment has been recycled according to ISO 14001 best practice.
(a) Yes
(i) Prior to the formation of the Department of Planning, Lands and Heritage (DPLH), separate policies were in place for each of the former agencies. DPLH is in the process of developing a single policy.
Procedures are in place to restrict unauthorised access to mobile devices. For mobile phones and tablets, access to the device is subject to the vendors’ PIN controls, and access to corporate information through the device is subject to corporate access and password controls. Laptops are subject to corporate access and password controls, and digital certificates to authenticate the device on the corporate network.
(ii) Not applicable
(b)
Former Department of Planning
(i) 36 – Donated to TADWA and eWaste
(ii) 67 – Donated to TADWA and eWaste
(iii) Not applicable
Former Department of Lands
(i)-(ii) Nil
(iii) Not applicable
Department of Planning, Lands and Heritage
(i)-(ii) Not applicable
(iii) 46 – 16 to auction and Mobile Munster; 13 auctioned internally; 17 eWaste
Western Australian Planning Commission
(i)-(iii) Nil
(c)
(i) Potential emails
(ii) Each mobile phone being disposed of is wiped clean using the vendor’s standard process to return the device to factory settings, clearing all local content on the device.
Department of Transport
(a) Yes
(i) All corporate mobile devices that have corporate information have the relevant security settings applied to them based on DoT’s relevant policies and procedures. These security settings include restricted access through passwords/PIN codes, encryption of data, etc. These security settings are managed and enforced via a Mobile Device Management (MDM) tool. DoT currently uses MobileIron as its MDM tool. For other portable devices such as laptops, access is restricted through passwords; data stored on these device’s hard-drives are encrypted using Microsoft Bitlocker.
(ii) Not applicable
(b)
(i) 274, auction, written off or returned to the financier (leased)
(ii) 156, auction, written off or returned to the financier (leased)
(iii) 113, auction, written off or returned to the financier (leased)
(c)
(i) Potential sensitive emails and contact details
(ii) DoT treats all assets in the same manner when ensuring data security. Each asset has the hard drive removed and that hard drive is then given a secure three pass wipe with DiskClon 2.0.5.2. If deemed not suitable or there are any corruptions with the hard drive it is instead securely destroyed via a shredding method so that it can be recycled thereafter.
Main Roads Western Australia
(a) Yes
(i) Main Roads owned Windows 10 tablets and laptops are running the Main Roads Standard Operating Environment and are secured and managed by System Centre Configuration Manager, which means a valid username and password is required to access the device. Mobile devices and tablets owned by Main Roads running Windows mobile, Android Operating Systems or Apple iOS are enrolled in Mobile Device Management product (Microsoft Intune) which enforces a passcode or password on the device and also enforces a device compliance policy.
(ii) Not applicable
(b)
(i) 337, donation, recycling or auction
(ii) 358, donation, recycling or auction
(iii) 478, donation, recycling or auction
(c)
(i) Emails
(ii) There are procedures in place to wipe all devices, including mobile devices, of all information prior to disposal. If lost or stolen, these devices are secured, but they can be remotely wiped by the MDM product.
Public Transport Authority
(a) Yes
(i) Access to mobile phones and tablets is controlled by a device passcode and access to laptops is controlled by username and password.
(ii) Not applicable
(b)
(i) 194, environmental recycling through vendors available under the CUAWA S2016 who provide sanitisation and destruction services of all storage media.
(ii) 180, environmental recycling through vendors available under the CUAWA S2016 who provide sanitisation and destruction services of all storage media.
(iii) 359, environmental recycling through vendors available under the CUAWA S2016 who provide sanitisation and destruction services of all storage media.
(c)
(i) Potential emails
(ii) The Public Transport Authority has measures in place to ensure any sensitive or confidential information is not retained on storage media when they are disposed of. This process is undertaken by vendors under the CUAWA S2016 who provide a sanitisation and destruction service as well as an erasure report with each disposal collection.
Mid West Ports Authority
(a) Yes
(i) Telephone Policy and Telephone Procedure
(ii) Not applicable
(b)
(i) 26, sent to approved agency for recycling
(ii) 17, sent to approved agency for recycling
(iii) 11, sent to approved agency for recycling
(c)
(i) Emails
(ii) Devices are reset to factory settings before disposal
Kimberley Ports Authority
(a) Yes
(i) Included in the Mobile Telephone Policy and the Computer and Communications Policy regarding physical security and password authentication.
(ii) Not applicable
(b)
(i) Nil
(ii) 4 – destroyed
(ii) 8 – Destroyed
(c)
(i) Emails
(ii) All mobile phones and hard drives are physically destroyed prior to disposal.
Southern Ports Authority
(a) Yes
(i) Laptops are domain managed with password policies and mobile phones and tablets are secured by PIN codes.
(ii) Not applicable
(b)
(i) 8, purchased by staff, destroyed or recycled
(ii) 8, purchased by staff, destroyed or recycled
(iii) 3, purchased by staff
(c)
(i) Board/CEO/ELT level information
(ii) Mobile devices that are not damaged are restored to factory defaults. Hard disks in laptops are removed and destroyed.
Fremantle Ports Authority
(a) Yes
(i) Mobile Device Policy and Mobile Device Guidelines
(ii) Not applicable
(b)
(i) 3, returned to supplier
(ii) 61, returned to supplier
(iii) 52, returned to supplier
(c) No
(i) Not applicable
(ii) Mobile phones and tablets are wiped prior to disposal, and for certified data sanitisation of laptops occurs prior to disposal.
Pilbara Ports Authority
(a) Yes
(i) i.PPA Information Security Policy and PPA ICT Acceptable Usage and ICT Mobile Computing Devices Procedure
(ii) Not applicable
(b)
(i)-(iii) Nil
(c) Not applicable
Landcorp
(a) Yes
(i) Enterprise Mobility Policy, Mobile Device Guidelines, Phone Usage Policy and Information Systems Usage Policy.
(ii) Not applicable
(b)
(i) 7 laptops and 1 phone decommissioned and destroyed.
(ii) 7 tablets and 6 phones sold by private treaty.
(iii) 9 mobile phones decommissioned wiped to factory settings and disposed via a third party recycling program; 67 laptops sold by private treaty; and 2 laptops decommissioned and destroyed.
(c)
(i) Business documents
(ii) The hard-drive on sold devices is reformatted and reimaged with a new Operating System. The hard-drive on a decommissioned device is wiped before being destroyed by a third party recycling company.
Landgate
(a) Yes
(i) ITC Mobile Device Rules and Acceptable Use Policy. All mobile devices are added to the Mobile Device Management system (Maas360). It is mandatory they are password protected. Laptops are imaged and password protected within the network.
(ii) Not applicable
(b)
(i) No record
(ii) Nil
(iii) 4 phones – recycled; 6 tablets disposed of with Total Green Recycling.
(c)
(i) Emails
(ii) Apple IDs are reset and email accounts deleted by the custodian. The Asset Management Team perform a factory reset before disposal. A remote wipe can be carried out through the Mobile Device Management system (Maas360) by the Asset Management Team or Service Desk team.
Metropolitan Redevelopment Authority
(a) Yes
(i) The MRA has an Information Services Policy 9.06 Mobile Device Management which includes provisions for Mobile Device Management software to control mobile devices.
(ii) Not applicable
(b) All mobile phones/tablets disposals are undertaken using secure destruction (shredding) whereas Laptop HDD’s have undergone data sanitization.
(i) 17
(ii) 25
(iii) 105
(c)
(i) Emails
(ii) All mobile devices were manually reset to factory default settings, ensuring data is erased from the mobile device. On disposal the recycling company disposes via the a bulk shredding method i.e. Physical destruction of mobile devices. On destruction the recycling company provides the MRA with an IT asset report and recycling Certificate. This Certificate guarantees that the equipment has been recycled according to ISO 14001 best practice.
Explore WA Government Data
Search the full archive in the free dashboard, or query programmatically via API.
Explore more
Government Gazette
Appointments, regulatory notices, planning changes.
Hansard
Debates, questions, speeches and sentiment.
Tabled Papers
Reports and documents tabled in Parliament.
Committees
Committee profiles and recent reports.
Regulations
Subsidiary legislation with filters and summaries.
Bills
Proposed laws and parliamentary progress.
Acts
Current WA legislation and summaries.
Explanatory Memoranda
Bills with EMs (text/PDF) available.
Members
MP profiles, party breakdown and rankings.
Pollie Rankings
Data-driven rankings across 19 categories.
Amendment Chains
Track how schemes and regulations evolve over time.