Overview

NSW Government agencies are required to appropriately manage risks to NSW Government information on government-issued devices, or personal devices that are used for government business by:

• preventing the access, use or installation of, and remove existing instances of, the listed applications (including products and associated web services) on government-issued devices, or personal devices that are used for government business, unless there is a legitimate and approved business need.

• ensuring they have a risk management process in place to identify, assess, approve and manage those cases where there is a legitimate business need for access to these applications.

• updating relevant policies that provide direction on the use of these products, applications and web services.

The NSW Government has identified several relevant restricted applications which are included in Attachment A (Restricted Applications List). Each restricted application is detailed in separate schedule in this  Circular and incorporate further details relating to that specific application.

This Circular comes into effect immediately on the Date Issued.

Definitions

In this Circular unless otherwise defined:

• “products, applications and web services” constitutes all products, applications, solutions, websites and web services supplied directly or indirectly by the restricted providers outlined in this document, or any of their predecessor, successor, parent, subsidiary, or affiliate companies. This does not include open-sourced Large Language Models (LLMs) where the entire codebase is available for inspection, the model is deployed locally on a government system, and appropriate mitigations are in place. In this Circular, “applications” refers to products, applications and web services.

• “devices” refers to laptops, workstations and mobile devices.

• “Government-issued” refers to any device owned and/or supplied by a NSW Government entity that has access to NSW Government systems or sensitive or classified information. 

Scope and Implementation

This Circular applies to all Public Service agencies as defined in the Government Sector Employment Act (2013), Schedule 1 (Parts 1, 2 and 3). It also includes the NSW Police Force. While this Circular is mandatory for those agencies, other NSW Government entities including councils and state-owned corporations are strongly encouraged to follow this guidance voluntarily. 

Restricted applications

The applications currently restricted by this Circular are listed in Attachment A. 

Alignment with the Commonwealth Government risk management directions

On 4 April 2023, the Commonwealth Attorney-General announced amendments to the Commonwealth Protective Security Policy Framework (“PSPF”) to allow the Secretary of the Attorney-General’s Department to issue mandatory Directions to government entities that require them to address security risks to the Commonwealth. 

NSW Government alignment with Commonwealth advice on these applications is crucial to protecting our information systems and data. Each PSPF Direction is considered by the NSW Government on a case-by-case basis as to its applicability to our own environments.

More information on the PSPF Directions is available in the attachments to this Circular. 

Cyber security risk management requirement

Agencies have an ongoing positive obligation to take appropriate steps to manage the risks to NSW Government information and systems from device use. This includes conducting risk assessments for the listed applications that consider:

• how threats, risks and vulnerabilities are impacting the protection of an agency’s people, information and assets, and how they are being mitigated

• the agency’s tolerance to security risks, with an explicit record that risk tolerance and risk appetite has been assessed and accepted by the relevant executive level committee

• the maturity of the agency’s capability to manage security risks, and the agency’s strategies to implement security risk management as well as manage and respond to incidents that occur on government-issued and bring-your-own devices (BYODs) that result in the loss or compromise of information and/or assets

• how the entity will maintain a positive risk culture and deliver against the NSW Cyber Security Policy and other applicable policies and legislation, e.g. the Digital NSW AI Assessment Framework and the State Records Act 1998 (NSW).

Agencies that accept the risks of the use of personal devices to access official or classified system data (i.e. pursuant to remote access arrangements including BYOD and equivalent policies) must formally accept the risk of these applications as part of this position and provide suitable mitigations for identified security risks, considering Cyber Security NSW guidance.

Following the identification of risk and the application of risk mitigation controls, agencies must implement or update a security awareness program to inform staff of the risks and impacts of applications and social media platforms to NSW Government systems and information. 

Staff obligation to comply with agency policies

If staff use a personal device to access work-related emails, messaging or documents – in line with departmental BYOD policies – they must ensure that their device use is compliant with agency policies, e.g. acceptable use of IT and information security policies. NSW Government staff must not access the restricted applications listed in this Circular on any device they access where NSW Government information is accessed.  

Note: Staff should ensure that they use any personal devices in a cyber-secure way, even where they are not accessing NSW Government systems or information.

Source: https://www.cyber.gov.au/acsc/view-all-content/guidance/personal-cyber-security-first-steps-guide