This circular is focussed solely on cyber security considerations for staff (including contractors directly employed by NSW Government agencies) accessing NSW Government systems when overseas. This circular provides these considerations irrespective of the nature of the overseas travel being undertaken.

This circular does not address work, health and safety, insurance, physical security and any other matters that should also be considered when assessing any requests to work from overseas.

This circular does not apply to 3rd party service providers and vendors. Agencies should continue to manage 3rd party risk consistent with the requirements of the NSW Cyber Security Policy.

Cyber Security Risks

The Australian Cyber Security Centre guidance on these risks notes:

The targeting of electronic devices used by personnel during overseas travel is a real and persistent threat. Electronic devices likely to be targeted include, but are not limited to, corporate and personal laptops, phones, tablets and removable media such as USB drives and SD cards. The compromise of electronic devices could impact the ongoing operation and security of an organisation’s business.

Generally, the risks associated with electronic device usage during overseas travel are:

• The compromise of electronic devices could give an adversary access to sensitive information (including user credentials). This could immediately impact the integrity, confidentiality or operational security of an organisation’s business activities.

• The compromise of electronic devices could allow an adversary to propagate into any connected networks putting additional sensitive information on such networks at risk. This could have a long-lasting impact on the integrity and confidentiality of an organisation’s business activities.

• The compromise of electronic devices belonging to personnel could result in immediate or ongoing operational security or safety concerns for targeted personnel.

Source: https://www.cyber.gov.au/acsc/view-all-content/publications/travelling-overseas-electronic-devices

Consideration of Requests

There is a strong presumption against NSW Public Sector employees residing and working outside of Australia.

Any request to work overseas must be approved by the relevant Deputy Secretary or higher, with consultation with the Chief Information Security Officer (CISO) or equivalent, on a ‘by exception’ basis.

Agencies must ensure they are appropriately managing risks to their staff, information and assets.

Agencies must also ensure that their staff are compliant with any Commonwealth requirements including reporting and consent requirements for the Australian Government Security Vetting Agency (AGSVA) security clearance holders.

This circular applies to all staff that seek to access NSW Government systems from overseas including staff that are covered by C2016-04-Information Security Policy for Ministers, Ministers’ Staff, Department Secretaries and Senior Executives Travelling Overseas.

To assess cyber and other security related threats, the following shall apply from the date of issue of this circular:

• accessing NSW Government systems from the United States of America, Canada, the United Kingdom and New Zealand should be considered low risk, and

• remote working from all other countries should be assessed on a case-by-case basis by the Chief Information Officer (CIO) and CISO using existing or updated security assessment processes.

Approval should not be given to access NSW Government systems from any overseas location determined to be high risk from a cyber and other security related perspective.

Approval to access NSW Government systems remotely from an overseas location should only be considered where the relevant Deputy Secretary, Secretary or Agency Head and entity can accept and make every effort to mitigate all associated risks.

Cyber Security Risk Management Requirements

To support the risk management of approved requests for accessing NSW Government systems while overseas, and to guarantee every effort has been made to mitigate all associated risks, agencies must:

1. Create or update an agency Cyber Security Plan to enable staff to access NSW Government systems from overseas locations.

The plan must include:

• an outline of how all threats, risks and vulnerabilities are being mitigated, including risks relating to travel and foreign interference impacting the protection of an entity’s people, information and assets

• consideration for tiering of strategies implemented based off a lower-risk tier (United States of America, Canada, the United Kingdom and New Zealand) and the higher-risk tier (everywhere else)

- the route to lower-risk countries should be considered, including in-transit travel risks, during layovers and stops

• the entity’s tolerance to security risks, and an explicit record that risk tolerance and risk appetite has been assessed and accepted by the relevant executive level committee

• the maturity of the entity’s capability to manage security risks, the entity’s strategies to implement security risk management and the entity’s strategies to manage and respond to incidents that occur overseas which result in the loss or compromise of information and/or assets

• how the entity will maintain a positive risk culture and deliver against the NSW Cyber Security Policy and other applicable policies and legislation including the State Records Act

• consideration of all relevant data sovereignty requirements, and

• a process for organising briefings and notification for staff who hold Australian Government security clearances, where required.

2. Create or update a register of approvals for staff accessing NSW Government systems while overseas.

The register must:

• identify the location and timeframe of the approval

• include the evidence of risk assessment (including evidence of actions taken to mitigate risks identified) and approval by the relevant Deputy Secretary, Secretary or Agency Head, and

• include processes to formally document, consider and accept the risk if staff are found to be accessing NSW Government systems while overseas without approval, prior warning or notification.

3. Create or update a security awareness program specific to staff who are/will be accessing NSW Government systems while overseas.

The program must include:

• training on the process for reporting any incident (suspected or actual) while in transit or overseas, and

• the development of, or utilisation of awareness content by Cyber Security NSW, to be provided to staff on a regular basis to remind them of their obligations and appropriate cyber hygiene practices.

Cyber Security NSW has template security plans and policies available for entities to use. Entities are also expected to engage with their cluster CISO (or Cyber Security NSW for independent agencies) for guidance on appropriate risk assessment and controls to support the development of their security plan.

At the time of implementation of this circular, NSW Government staff already accessing NSW Government systems from overseas, including in a permanent, official capacity, should be identified and appropriate protections put in place as per the above requirements. The entity must accept the risks associated with these staff.

Agencies not adhering to the requirements of this directive may be inadequately managing the risks to their staff, information and assets. If agencies are unable to adhere to these requirements, they are strongly advised to reject any requests to allow staff to access NSW Government systems from overseas and not enable access from overseas locations until such time as they can comply with this requirement.

This circular complements C2016-04-Information Security Policy for Ministers, Ministers’ Staff, Department Secretaries and Senior Executives Travelling Overseas. Where requirements for Senior Executives in this circular and CS2016-04 differ, CS2016-04 takes precedence.