Personnel are advised to take the following precautions when using mobile devices: • never leave mobile devices or removable media unattended, including by placing them in checked-in luggage or leaving them in hotel safes • never store credentials with mobile devices that they grant access to, such as in laptop computer bags • never lend mobile devices or removable media to untrusted people, even if briefly • never allow untrusted people to connect their mobile devices or removable media to your mobile devices, including for charging • never connect mobile devices to designated charging stations or wall outlet charging ports • never use gifted or unauthorised peripherals, chargers or removable media with mobile devices • never use removable media for data transfers or backups that have not been checked for malicious code beforehand • avoid reuse of removable media once used with other parties’ systems or mobile devices • avoid connecting mobile devices to open or untrusted Wi-Fi networks • consider disabling any communications capabilities of mobile devices when not in use, such as Wi-Fi, Bluetooth, Near Field Communication and ultra-wideband • consider periodically rebooting mobile devices • consider using a VPN connection to encrypt all cellular and wireless communications • consider using encrypted email or messaging apps for all communications.
Topic
Personnel awareness
Applicable to
all
History
Priority
should
Sep 2023
Personnel are advised to take the following precautions when using mobile devices:
• never leave mobile devices or removable media unattended, including by placing them in checked-in luggage or leaving them in hotel safes
• never store credentials with mobile devices that they grant access to, such as in laptop computer bags
• never lend mobile devices or removable media to untrusted people, even if briefly
• never allow untrusted people to connect their mobile devices or removable media to your mobile devices, including for charging
• never connect mobile devices to designated charging stations or wall outlet charging ports
• never use gifted or unauthorised peripherals, chargers or removable media with mobile devices
• never use removable media for data transfers or backups that have not been checked for malicious code beforehand
• avoid reuse of removable media once used with other parties’ systems or mobile devices
• avoid connecting mobile devices to open or untrusted Wi-Fi networks
• consider disabling any communications capabilities of mobile devices when not in use, such as Wi-Fi, Bluetooth, Near Field Communication and ultra-wideband
• consider periodically rebooting mobile devices
• consider using a VPN connection to encrypt all cellular and wireless communications
• consider using encrypted email or messaging apps for all communications.
The existing control relating to taking specific precautions when travelling overseas with mobile devices was amended to reflect that the advice is also applicable to using mobile devices domestically. In addition, the control was amended to discourage the use of gifted or unauthorised peripherals with mobile devices.
Dec 2021
Personnel take the following precautions when travelling overseas with mobile devices:
• never leaving mobile devices or removable media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes
• never storing credentials with mobile devices that they grant access to, such as in laptop bags
• never lending mobile devices or removable media to untrusted people, even if briefly
• never allowing untrusted people to connect their mobile devices or removable media, including for charging
• never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people
• avoiding connecting mobile devices to open or untrusted Wi-Fi networks
• using a VPN connection to encrypt all mobile device communications
• using encrypted messaging apps for communications instead of using foreign telecommunication networks
• disabling any communications capabilities of mobile devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication
• avoiding reuse of removable media once used with other parties’ systems or mobile devices
• ensuring any removable media used for data transfers are thoroughly checked for malicious code beforehand
• never using any gifted mobile devices, especially removable media, when travelling or upon returning from travelling.
Miscellaneous changes were made to rationale and security controls throughout the publication. This included:
• A review from the Using the Information Security Manual chapter through to the Guidelines for Media chapter.
• Security controls suitable for all audiences have been identified with the ‘All’ applicability marking while additional security controls suitable for just government audiences have been identified with the O, P, S and TS applicability markings.
• Security controls suitable for specific classifications have been amended to include their classification(s) in the wording of the security controls to reduce the reliance on applicability markings to confer suitability.
• Tables in security controls have been converted into prose to allow for inclusion in the SSP annex template and the XML list of security controls.
• The use of ‘official’ and ‘highly classified’ terminology has been replaced with specific classifications to remove ambiguity.
• Security controls relating to high assurance ICT equipment have had their applicability narrowed to ‘S, TS’ reflecting that they are intended for the protection of SECRET and TOP SECRET systems and data.
Oct 2019
Personnel take the following precautions when travelling overseas with mobile devices:
§ never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes
§ never storing credentials with devices that they grant access to, such as in laptop bags
§ never lending devices to untrusted people, even if briefly
§ never allowing untrusted people to connect other devices or media to their devices, including for charging
§ never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people
§ avoiding connecting devices to open or untrusted Wi-Fi networks
§ using an approved Virtual Private Network to encrypt all device communications
§ using encrypted mobile applications for communications instead of using foreign telecommunication networks
§ disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication
§ avoiding reuse of media once used with other parties’ devices or systems
§ ensuring any media used for data transfers are thoroughly checked for malicious code beforehand
§ never using any gifted devices, especially media, when travelling or upon returning from travelling.
Security control 1087 was merged into security control 1299. In addition, security control 1299 was updated to align with advice within the ACSC’s Travelling Overseas with Electronic Devices publication.
Sep 2019
Personnel take the following precautions when travelling overseas with mobile devices:
§ avoiding storing authentication details or tokens and passphrases with mobile devices
§ avoiding connecting to open Wi-Fi networks
§ clearing web browsers after each browsing session including history, cache, cookies and temporary files
§ encrypting emails where possible
§ ensuring login pages are encrypted before entering passphrases
§ avoiding connecting to untrusted computers or inserting removable media.
2017
Personnel should take the following precautions when travelling overseas with a mobile device:• avoid storing authentication details or tokens and passphrases with the device• avoid connecting to open Wi-Fi networks• clear web browser after each session including history, cache, cookies, URL andtemporary files• encrypt emails where possible• ensure login pages are encrypted before entering passphrases• avoid connecting to untrusted computers or inserting removable media.
Control Text Changed. No public explaination.
2015
Personnel should take the following precautions when travelling overseas with a mobiledevice:• avoid storing authentication details or tokens and passphrases with the device• avoid connecting to open Wi–Fi networks• clear web browser after each session including history, cache, cookies, URL and temporaryfiles• encrypt emails where possible• ensure login pages are encrypted before entering passphrases• avoid connecting to untrusted computers or inserting removable media.