❓ A WA parliamentary question on notice reveals policies and procedures for restricting unauthorised access to mobile devices across various government departments, along with details on device disposal methods and data sanitisation practices.
AnsweredQoN 3182Legislative Assembly
Asked
12 June 2018
Member
Portfolio
Treasurer; Minister for Finance; Energy; Aboriginal Affairs
QuestionView source ↗
In respect of the Minister’s portfolio responsibilities for any of their departments, agencies, government trading enterprises or boards, I ask: (a) Are there any policies or procedures in place for restricting unauthorised access to mobile devices (mobile phones, tablets and laptops): (i) If so, what are they; and (ii) If not, why not; (b) How many mobile devices have been disposed of in the following financial years and what was their disposal method (i.e. at auction): (i) 2015-16; (ii) 2016-17; and (iii) 2017-18; and (c) Were any of the mobile devices in (b)(i)-(iii) used to store sensitive or confidential information: (i) If so, what type of sensitive or confidential information; and (ii) If so, what measures are put in place to ensure this information is not retained on the hard-drive of the device upon it's disposal?
AnswerView source ↗
Answered
14 August 2018
Response time
9 days
Department of Treasury
(a) Yes
(i) Information Security Policy, Acceptable Use Policy, Asset Management Policy and Operational Guidelines.
(ii) Not applicable
(b)(i) 2015-16; 19 – Disposed of through supplier under Common Use Agreement CUAWAS2016 – Waste Disposal and Recycling Services.
(ii) 2016-17 – Nil
(iii) 2017-18; 15 – Disposed of through supplier under Common Use Agreement CUAWAS2016.
(c) Yes
(i) Content of emails
(ii) The mobile devices are restored back to factory settings. The devices are then disposed of through a supplier under the CUAWAS2016 – Waste Disposal and Recycling Services whereby appropriate measures are taken to sanitise the information on the devices. A certificate is received for every device that is disposed of.
Department of Finance
(a) Yes
(i) Information Security Policy, Information Media Disposal Procedure, Password Policy and Remote Access Policy.
(ii) Not applicable
(b) All mobile devices have been disposed of through a supplier under the Common Use Agreement CUAWAS2016 “Waste Disposal and Recycling Services”.
(i) 2015-16 – 173
(ii) 2016-17 – Nil
(iii) 2017-18 – 136
(c) Yes
(i) Content of emails
(ii) The mobile devices are restored back to factory settings. The devices are disposed of through a supplier under the Common Use Agreement CUAWAS2016 “Waste Disposal and Recycling Services” whereby appropriate measures are taken to sanitise the information on the devices. A certificate is received for every device that is disposed.
Western Australia Treasury Corporation
(a) Yes
(i) Western Australian Treasury Corporation Contract of Employment and Access Request Process.
(ii) Not applicable
(b)
(i) None
(ii) 5 Laptop PCs sold to staff by confidential bid process.
(iii) None
(c) Yes
(i) Western Australian Treasury Corporation business information.
(ii) Disc drives are wiped multiple times (killdisk applied 10 times)
Economic Regulation Authority
(a) Yes
(i) Mobile phones are secured with a pin number and controlled by network mobile device management software. Mobile computing device hard drives are encrypted through Mocrosoft bit locker, Anti Virus, and group policy security measures.
(ii) Not applicable
(b)
(i) 3 moblie phones, 6 mobile devices - recycled as e-waste
(ii) 4 mobile phones - donated to a technology charity
(iii) Nil
(c) Yes
(i) All official mobile devices have access to at the ERA’s network. Therefore they have access to any commercial in confidence information held on the network.
(ii) Prior to disposal mobile devices are data wiped and reset to factory settings (if devices have not suffered critical failure). The contractor used to recycle e-waste uses industry standard data wiping software and physical data storage element destruction.
Department of Planning, Lands and Heritage
(a) Please refer to the answer to Legislative Assembly Question on Notice 3179.
(b)
Former Department of Aboriginal Affairs :
(i) Nil
(ii) 20 – eWaste
(iii) Not applicable
(c) No
(i)-(ii) Not applicable
Aboriginal Policy and Coordination Unit
Please refer to the answer to Legislative Assembly Question on Notice 3192.
Western Power
(a) Western Power has procedures in place to restrict unauthorised access to mobile devices in line with our Information & Communication Technology Cyber Security Standard:
(b)
(i-iii)
Year Disposed
Laptop
Mobile Phone
Tablet
Grand Total
2015/16
382
110
75
567
2016/17
354
64
147
565
2017/18
239
30
142
411
All disposed hardware is sent to Ross’s Auctions.
(c)(i) Disposed laptops and tablets may contain sensitive or confidential data, including customer, commercial and HR data, depending on the role of the custodian. The mobile phones were older devices that did not have any data storage capability.
(ii) All laptop and tablet hard drives are securely wiped to DOD 5220.22-M standard before disposal. In the event a hard drive cannot be wiped due to hardware failure, the hard drive is removed from the device and stored securely pending destruction.
We are currently finalising a process to securely dispose of Smart Phones. These devices will be either securely wiped to ISO 27001 and ISO 27040 standard, or be physically destroyed. Until that is in place, Smart Phones are securely stored.
Synergy
(a) Yes.
(i) For laptops, users are required to authenticate themselves on the device before they can access any software or systems and the hard drives of all computers with the Synergy Standard Operating Environment have BitLocker hard drive encryption enabled.
For mobile phones and tablets provided by Synergy, a pin code configured at provisioning is required for all users.
(ii) Not applicable.
(b)
(i-iii)
Mobile devices disposed of
Disposal method
2015-16
371
Returned to lessor (288)
Sold or auctioned (46)
Recycled (37)
2016-17
710
Returned to lessor (523)
Sold or auctioned (26)
Recycled (161)
2017-18
423
Returned to lessor (384)
Sold or auctioned (39)
(c) It is possible for any Synergy mobile device to have contained Synergy confidential information.
(i) Information pertaining to Synergy’s commercial activities and operations.
(ii) All laptops are securely wiped with zeroes before disposing. All mobile phones and tablets are factory reset where possible.
Horizon Power
(a) Yes
(i) Horizon Power use Apple iPhones and iPads for corporate mobility and communication. These devices are enrolled in Apple’s Device Enrolment Program (DEP) and are monitored in Airwatch (Telstra Mobile Device Management). Each device requires a Horizon Power username and password to initially configure them and a passcode must be set to unlock them. The SIM cards have an active SIM PIN.
Windows laptop access requires a Horizon Power username and password and all user data is stored on network storage, including users folders such as documents, pictures and downloads.
(ii) Not Applicable
(b)
(i) None
(ii) None
(iii) 246 end-of-life, damaged or faulty phones were disposed in September 2017. The method of disposal was to use a company called ‘phone cycle’.
(c) Yes
(i) Corporate phones and tablets. Mobile devices store cached credentials for accessing corporate emails.
(ii) All data is cleared from mobile devices when returned to the Technology department prior to storing, reissue, or disposal.
Government Employees Superannuation Board
(a) Yes
(i)
(ii) Not applicable
(b)
(i) 7 devices. Disposal Method for these seven devices was via the Brightstar Trade-In program (Telstra Corporate Devise Upgrade Program - For Trade In Of Used Mobile Devices)
(ii) Nil
(iii) Nil
(c) Yes
(i) Exchange (Email)
(ii) Staff follow an internal process relating to the disposal of IT assets. This process includes the removal of:
Once the above has been actioned, ‘ Erase all content and settings’ is selected to restore the device back to its factory settings. Only third party providers approved under the Common Use Agreement (CUA) are permitted to perform asset disposal activities as per GESB’s asset disposal policy. Once the internal process has been completed GESB arranges for a CUA supplier to co-ordinate the disposal of devices.
Fire and Emergency Services Superannuation Fund
(a) Yes
(i) Listed below -
(ii) Not applicable
(b)(i) 2015-16 : No mobile devices were disposed of
(ii) 2016-17 : iPad used for Board meetings gifted to Alternate Trustee on his resignation from our Board
(iii) 2017-18 : No mobile devices were disposed of
(c) Yes
(i) Board policies; agenda; minutes and investment papers.
(ii) The sensitive/confidential information is only available through an appplication, which is accessed by logging in. Logging in to the application is disabled once the device is disposed of.
Insurance Commission of Western Australia
(a) Yes
(i) Policies and procedures on acceptable use and security.
(ii) Not applicable
(b) None
(i-iii) Not applicable
(c) Not applicable
Office of the Auditor General
(a) Yes (i) The OAG has a number of policies and procedures in place for restricting unauthorised access to mobile devices, including: Device BIOS passwords, where available Password security mechanisms Screen locking mechanisms User account authorisation and management processes Device encryption processes (ii) Not applicable
(b) (i) 2015-16: 2 mobile devices were disposed of via environmental recycling (ii) 2016-17: 8 mobile devices were disposed of via environmental recycling (iii) 2017-18: 139 mobile devices were disposed of via environmental recycling (c) Yes (i) Laptop computers are used to for the temporary storage and processing of Office of the Auditor General audit and operational information. (ii) All hard drives are removed from laptop computers prior to the disposal of the laptop computer. These hard drives are disposed of via secure destruction methods in accordance with CUA WAS2016 ‘Waste Disposal and Recycling Services’.
(a) Yes
(i) Information Security Policy, Acceptable Use Policy, Asset Management Policy and Operational Guidelines.
(ii) Not applicable
(b)(i) 2015-16; 19 – Disposed of through supplier under Common Use Agreement CUAWAS2016 – Waste Disposal and Recycling Services.
(ii) 2016-17 – Nil
(iii) 2017-18; 15 – Disposed of through supplier under Common Use Agreement CUAWAS2016.
(c) Yes
(i) Content of emails
(ii) The mobile devices are restored back to factory settings. The devices are then disposed of through a supplier under the CUAWAS2016 – Waste Disposal and Recycling Services whereby appropriate measures are taken to sanitise the information on the devices. A certificate is received for every device that is disposed of.
Department of Finance
(a) Yes
(i) Information Security Policy, Information Media Disposal Procedure, Password Policy and Remote Access Policy.
(ii) Not applicable
(b) All mobile devices have been disposed of through a supplier under the Common Use Agreement CUAWAS2016 “Waste Disposal and Recycling Services”.
(i) 2015-16 – 173
(ii) 2016-17 – Nil
(iii) 2017-18 – 136
(c) Yes
(i) Content of emails
(ii) The mobile devices are restored back to factory settings. The devices are disposed of through a supplier under the Common Use Agreement CUAWAS2016 “Waste Disposal and Recycling Services” whereby appropriate measures are taken to sanitise the information on the devices. A certificate is received for every device that is disposed.
Western Australia Treasury Corporation
(a) Yes
(i) Western Australian Treasury Corporation Contract of Employment and Access Request Process.
(ii) Not applicable
(b)
(i) None
(ii) 5 Laptop PCs sold to staff by confidential bid process.
(iii) None
(c) Yes
(i) Western Australian Treasury Corporation business information.
(ii) Disc drives are wiped multiple times (killdisk applied 10 times)
Economic Regulation Authority
(a) Yes
(i) Mobile phones are secured with a pin number and controlled by network mobile device management software. Mobile computing device hard drives are encrypted through Mocrosoft bit locker, Anti Virus, and group policy security measures.
(ii) Not applicable
(b)
(i) 3 moblie phones, 6 mobile devices - recycled as e-waste
(ii) 4 mobile phones - donated to a technology charity
(iii) Nil
(c) Yes
(i) All official mobile devices have access to at the ERA’s network. Therefore they have access to any commercial in confidence information held on the network.
(ii) Prior to disposal mobile devices are data wiped and reset to factory settings (if devices have not suffered critical failure). The contractor used to recycle e-waste uses industry standard data wiping software and physical data storage element destruction.
Department of Planning, Lands and Heritage
(a) Please refer to the answer to Legislative Assembly Question on Notice 3179.
(b)
Former Department of Aboriginal Affairs :
(i) Nil
(ii) 20 – eWaste
(iii) Not applicable
(c) No
(i)-(ii) Not applicable
Aboriginal Policy and Coordination Unit
Please refer to the answer to Legislative Assembly Question on Notice 3192.
Western Power
(a) Western Power has procedures in place to restrict unauthorised access to mobile devices in line with our Information & Communication Technology Cyber Security Standard:
(b)
(i-iii)
Year Disposed
Laptop
Mobile Phone
Tablet
Grand Total
2015/16
382
110
75
567
2016/17
354
64
147
565
2017/18
239
30
142
411
All disposed hardware is sent to Ross’s Auctions.
(c)(i) Disposed laptops and tablets may contain sensitive or confidential data, including customer, commercial and HR data, depending on the role of the custodian. The mobile phones were older devices that did not have any data storage capability.
(ii) All laptop and tablet hard drives are securely wiped to DOD 5220.22-M standard before disposal. In the event a hard drive cannot be wiped due to hardware failure, the hard drive is removed from the device and stored securely pending destruction.
We are currently finalising a process to securely dispose of Smart Phones. These devices will be either securely wiped to ISO 27001 and ISO 27040 standard, or be physically destroyed. Until that is in place, Smart Phones are securely stored.
Synergy
(a) Yes.
(i) For laptops, users are required to authenticate themselves on the device before they can access any software or systems and the hard drives of all computers with the Synergy Standard Operating Environment have BitLocker hard drive encryption enabled.
For mobile phones and tablets provided by Synergy, a pin code configured at provisioning is required for all users.
(ii) Not applicable.
(b)
(i-iii)
Mobile devices disposed of
Disposal method
2015-16
371
Returned to lessor (288)
Sold or auctioned (46)
Recycled (37)
2016-17
710
Returned to lessor (523)
Sold or auctioned (26)
Recycled (161)
2017-18
423
Returned to lessor (384)
Sold or auctioned (39)
(c) It is possible for any Synergy mobile device to have contained Synergy confidential information.
(i) Information pertaining to Synergy’s commercial activities and operations.
(ii) All laptops are securely wiped with zeroes before disposing. All mobile phones and tablets are factory reset where possible.
Horizon Power
(a) Yes
(i) Horizon Power use Apple iPhones and iPads for corporate mobility and communication. These devices are enrolled in Apple’s Device Enrolment Program (DEP) and are monitored in Airwatch (Telstra Mobile Device Management). Each device requires a Horizon Power username and password to initially configure them and a passcode must be set to unlock them. The SIM cards have an active SIM PIN.
Windows laptop access requires a Horizon Power username and password and all user data is stored on network storage, including users folders such as documents, pictures and downloads.
(ii) Not Applicable
(b)
(i) None
(ii) None
(iii) 246 end-of-life, damaged or faulty phones were disposed in September 2017. The method of disposal was to use a company called ‘phone cycle’.
(c) Yes
(i) Corporate phones and tablets. Mobile devices store cached credentials for accessing corporate emails.
(ii) All data is cleared from mobile devices when returned to the Technology department prior to storing, reissue, or disposal.
Government Employees Superannuation Board
(a) Yes
(i)
(ii) Not applicable
(b)
(i) 7 devices. Disposal Method for these seven devices was via the Brightstar Trade-In program (Telstra Corporate Devise Upgrade Program - For Trade In Of Used Mobile Devices)
(ii) Nil
(iii) Nil
(c) Yes
(i) Exchange (Email)
(ii) Staff follow an internal process relating to the disposal of IT assets. This process includes the removal of:
Once the above has been actioned, ‘ Erase all content and settings’ is selected to restore the device back to its factory settings. Only third party providers approved under the Common Use Agreement (CUA) are permitted to perform asset disposal activities as per GESB’s asset disposal policy. Once the internal process has been completed GESB arranges for a CUA supplier to co-ordinate the disposal of devices.
Fire and Emergency Services Superannuation Fund
(a) Yes
(i) Listed below -
(ii) Not applicable
(b)(i) 2015-16 : No mobile devices were disposed of
(ii) 2016-17 : iPad used for Board meetings gifted to Alternate Trustee on his resignation from our Board
(iii) 2017-18 : No mobile devices were disposed of
(c) Yes
(i) Board policies; agenda; minutes and investment papers.
(ii) The sensitive/confidential information is only available through an appplication, which is accessed by logging in. Logging in to the application is disabled once the device is disposed of.
Insurance Commission of Western Australia
(a) Yes
(i) Policies and procedures on acceptable use and security.
(ii) Not applicable
(b) None
(i-iii) Not applicable
(c) Not applicable
Office of the Auditor General
(a) Yes (i) The OAG has a number of policies and procedures in place for restricting unauthorised access to mobile devices, including: Device BIOS passwords, where available Password security mechanisms Screen locking mechanisms User account authorisation and management processes Device encryption processes (ii) Not applicable
(b) (i) 2015-16: 2 mobile devices were disposed of via environmental recycling (ii) 2016-17: 8 mobile devices were disposed of via environmental recycling (iii) 2017-18: 139 mobile devices were disposed of via environmental recycling (c) Yes (i) Laptop computers are used to for the temporary storage and processing of Office of the Auditor General audit and operational information. (ii) All hard drives are removed from laptop computers prior to the disposal of the laptop computer. These hard drives are disposed of via secure destruction methods in accordance with CUA WAS2016 ‘Waste Disposal and Recycling Services’.
Explore WA Government Data
Search the full archive in the free dashboard, or query programmatically via API.
Explore more
Government Gazette
Appointments, regulatory notices, planning changes.
Hansard
Debates, questions, speeches and sentiment.
Tabled Papers
Reports and documents tabled in Parliament.
Committees
Committee profiles and recent reports.
Regulations
Subsidiary legislation with filters and summaries.
Bills
Proposed laws and parliamentary progress.
Acts
Current WA legislation and summaries.
Explanatory Memoranda
Bills with EMs (text/PDF) available.
Members
MP profiles, party breakdown and rankings.
Pollie Rankings
Data-driven rankings across 19 categories.
Amendment Chains
Track how schemes and regulations evolve over time.