Overview

NSW Government clusters and agencies are required to appropriately manage risks – including those posed by the social media platform TikTok – to NSW Government information on government-issued devices. Clusters and agencies are directed to:

• prevent the installation of, and remove existing instances of, the TikTok application on government-issued devices, unless there is a legitimate business need (please see further guidance below)

• ensure they have a risk management process in place to identify, assess, approve and manage those cases where there is a legitimate business need for the TikTok application 

• update relevant policies to provide direction on the use of TikTok.

This Circular comes into effect from the issue date and should be implemented as soon as practicable. 

This Circular applies to all NSW Government departments and Public Service agencies, including statutory authorities and all NSW Government entities that submit an annual report to a Secretary of a lead department or cluster, direct to a Minister or direct to the Premier. In this Circular, references to “clusters” mean the departments listed in Part 1, Schedule 1 of the Government Sector Employment Act 2013. The term “agency” is used to refer to any or all NSW Government departments, Public Service agencies and statutory authorities. 

While this Circular is mandatory for clusters and agencies, other NSW Government entities, including local councils and state-owned corporations, are encouraged to follow this guidance.  

Alignment to Commonwealth risk mitigation of TikTok

On 4 April 2023, the Commonwealth Attorney-General announced amendments to the Commonwealth Protective Security Policy Framework (PSPF) to allow the Secretary of the Attorney-General’s Department to issue mandatory directions to government entities that require them to address security risks to the Commonwealth. 

As part of this change to the PSPF, a direction has been issued to prevent Federal Government entities from accessing and installing the TikTok application on government-issued devices.

To address emerging risks posed by the TikTok application, the Commonwealth direction aims to ensure security standards within the Federal Government.

The Commonwealth direction:

1. applies to non-corporate Commonwealth entities within Federal Government

2. is not a nation-wide ban and will not apply to the general public; and

3. does not impact personal use on personal devices.

Where legitimate business reasons exist for the use of this application, the Commonwealth direction requires its use to be approved by an entity’s Chief Security Officer and appropriate security mitigations to be applied.

Following the Commonwealth Government position, the NSW Government is implementing this Circular for applicable entities.

Source: https://www.protectivesecurity.gov.au/system/files/2023-04/direction-on-tiktok-application.pdf

Cyber security risks of social media

The Australian Cyber Security Centre provides guidance on risks related to devices and applications. Agencies should consider this guidance when identifying appropriate risk management strategies:

“Social media and messaging… typically collect extensive data as part of their business model. These apps may also collect additional data from individuals’ devices, which extends beyond the content of messages, videos and voice recordings....”

Source: https://www.cyber.gov.au/acsc/view-all-content/publications/security-tips-social-media-and-messaging-apps

“Risks are primarily due to the likelihood of devices storing unprotected sensitive data being lost or stolen, use of corporately unapproved applications and cloud services to handle sensitive data, inadequate separation between work‐related use and personal use of a device, and the organisation having reduced assurance in the integrity and security posture of devices that are not corporately managed. Additional risks arise due to legal liability, regulatory obligations and legislation requiring compliance, and the implications for the organisation’s budget and personnel resources.”

Source: https://www.cyber.gov.au/acsc/view-all-content/publications/risk-management-enterprise-mobility-including-bring-your-own-device

Legitimate business reasons for TikTok

Agencies must ensure they are appropriately managing risks to their staff, information and assets.

There may be circumstances in which NSW Government clusters, agencies or staff require access to the TikTok application for work purposes, e.g. communications, promotions and research. In these cases, an adequate risk assessment (consistent with the guidelines set out in the ‘Cyber security risk management requirements’ below) must first be completed in consultation with the agency or cluster Chief Information Security Officer or equivalent and may only proceed with their approval. Agencies using the TikTok application must also implement risk mitigation strategies in accordance with Cyber Security NSW guidance (Cyber Security NSW is developing more detailed advice, which will be provided to clusters and agencies).

Agencies should also continue to manage third-party risk per the requirements of the NSW Cyber Security Policy.

Staff obligation to comply with agency policies

If staff use a personal device to access work-related emails, messaging or documents – in line with departmental bring-your-own-device (BYOD) policies – they must ensure that their device use is compliant with agency policies, e.g. acceptable use of IT and information security policies.

Note: Staff should ensure that they use any personal devices in a cyber secure way, even where they are not accessing NSW Government systems or information.

Source: https://www.cyber.gov.au/acsc/view-all-content/guidance/personal-cyber-security-first-steps-guide

Cyber security risk management requirements

Agencies must take appropriate steps to manage the risks to NSW Government information and systems from device use. This includes conducting risk assessments that consider:

• how threats, risks and vulnerabilities are impacting the protection of an agency’s people, information and assets, and how they are being mitigated

• the agency’s tolerance to security risks, with an explicit record that risk tolerance and risk appetite has been assessed and accepted by the relevant executive level committee

• the maturity of the agency’s capability to manage security risks, and the agency’s strategies to implement security risk management as well as manage and respond to incidents that occur on government-issued and BYOD devices that result in the loss or compromise of information and/or assets

• how the entity will maintain a positive risk culture and deliver against the NSW Cyber Security Policy and other applicable policies and legislation, e.g. the State Records Act 1998 (NSW).

Agencies that accept the risks of the use of personal devices to access official or classified system data (i.e. pursuant to remote access arrangements including BYOD and equivalent policies) must formally accept the risk of TikTok as part of this position and provide suitable mitigations for identified security risks, considering Cyber Security NSW guidance.

Following the identification of risk and the application of risk mitigation controls, agencies must implement or update a security awareness program to inform staff of the risks and impacts of applications and social media platforms to NSW Government systems and information.