Personnel accessing OFFICIAL: Sensitive or PROTECTED systems or data using privately-owned mobile devices or desktop computers have enforced separation of work data from personal data.
Topic
Privately-owned mobile devices and desktop computers
Applicable to
Official, Protected
History
Priority
must
Sep 2023
Personnel accessing OFFICIAL: Sensitive or PROTECTED systems or data using privately-owned mobile devices or desktop computers have enforced separation of work data from personal data.
References to ‘OFFICIAL systems’, ‘OFFICIAL mobile devices’, ‘OFFICIAL cables’ and ‘OFFICIAL wall outlet boxes’ were replaced with OFFICIAL: Sensitive terminology (e.g. OFFICIAL: Sensitive mobile devices) to correctly reflect the highest sensitivity of data such systems, devices and infrastructure can process, store and communicate (i.e. up to Business Impact Level 2).
Sep 2023
Personnel accessing OFFICIAL: Sensitive or PROTECTED systems or data using privately-owned mobile devices or desktop computers have enforced separation of work data from personal data.
The existing control relating to the use of privately-owned mobile devices for accessing OFFICIAL: Sensitive or PROTECTED systems or data was amended to separate out the requirement for an approved mobile platform into its own control. [ISM-1400, ISM-1867]
Sep 2023
Personnel accessing OFFICIAL: Sensitive or PROTECTED systems or data using privately-owned mobile devices or desktop computers have enforced separation of work data from personal data.
Existing controls relating to the use of privately-owned mobile devices were amended to include privately-owned desktop computers when used as part of working from home arrangements. [ISM-1297, ISM-1400, ISM-0694]
Sep 2022
Personnel accessing OFFICIAL and PROTECTED systems or data using a privately-owned mobile device use an ASD-approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of work and personal data.
The language for existing controls covering the use of privately-owned mobile devices and organisation-owned mobile devices was amended to ensure consistency, noting recommendations for securing their use have not changed.
Dec 2021
Personnel accessing OFFICIAL and PROTECTED systems or data using a privately-owned mobile device use an ACSC-approved platform, a security configuration in accordance with ACSC guidance and have enforced separation of work data from any personal data.
Miscellaneous changes were made to rationale and security controls throughout the publication. This included:
• A review from the Using the Information Security Manual chapter through to the Guidelines for Media chapter.
• Security controls suitable for all audiences have been identified with the ‘All’ applicability marking while additional security controls suitable for just government audiences have been identified with the O, P, S and TS applicability markings.
• Security controls suitable for specific classifications have been amended to include their classification(s) in the wording of the security controls to reduce the reliance on applicability markings to confer suitability.
• Tables in security controls have been converted into prose to allow for inclusion in the SSP annex template and the XML list of security controls.
• The use of ‘official’ and ‘highly classified’ terminology has been replaced with specific classifications to remove ambiguity.
• Security controls relating to high assurance ICT equipment have had their applicability narrowed to ‘S, TS’ reflecting that they are intended for the protection of SECRET and TOP SECRET systems and data.
Aug 2020
Personnel accessing official or classified systems or information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information.
Security controls 1400 and 0694 were amended to note that they relate to the access of an organisation’s systems or information.
Jul 2020
Personnel accessing official or classified information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information.
Oct 2019
Personnel accessing official or classified information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information.
Security control 1400 was modified slightly to adopt new terminology.
Sep 2019
Personnel accessing official or classified information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC hardening guidance, and have enforced separation of official and classified information from any personal information.
Aug 2019
Personnel accessing official or classified information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC hardening guidance, and have enforced separation of official and classified information from any personal information.
Security control 1399 was reviewed and merged into security control 1400.
Jul 2019
Personnel accessing classified information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC hardening guidance, and have enforced separation of classified and personal information.
2015
Agencies permitting personnel to access or store classified information using non-agencyowned mobile devices must ensure an ASD approved platform with an appropriate securityconfiguration in accordance with ASD’s associated hardening guide for that device is used.