UNCLASSIFIED
UNCONTROLLED-IF-PRINTED
Defence Security Manual
DSM Part
2:31 Off-Site Work
Version
4
Publication date July 2015
Amendment list
23
Optimised for Screen; Print; Screen Reader
Releasable to Public
ic
Defence personnel are, and external service providers subject to the terms and conditions of their
Compliance
Requirements contract may be, bound by security policy contained in the DSM and Information Security Manual
(ISM). Failure to comply with the mandatory requirements of the DSM and ISM may result in
action under the relevant contract provision or legislation including, but not limited to; the Defence
Force Discipline Act 1982, the Public Service Act 1999, and the Crimes Act 1914.
bl
Mandatory requirements in the DSM and ISM are identified through the use of the terms must /
must not and should / should not. Compliance with these requirements is mandatory unless
the appropriate authority, if applicable, has considered the justification for non-compliance and
accepted the associated risk through the granting of a dispensation.
The terms ‘recommend’ and ‘may’ are used to denote a sensible security practice and noncompliance need not be approved or documented.
Note: Non-compliance with a sensible security practice ought to be informed by
sound risk management principles.
Pu
The DSM compliance regime, including the authority to approve non-compliance with mandatory
requirements, the use of dispensation indicators, and how to apply for a dispensation is detailed
in DSM Part 2:1 Dispensations.
Copyright
© Commonwealth of Australia 2010
This work is copyright. Apart from any use as permitted under the Copyright Act 1968,
no part may be reproduced by any process without prior written permission from the
Department of Defence. Requests and inquiries concerning reproduction and rights should be
addressed to Defence Publishing Services, Department of Defence.
UNCONTROLLED-IF-PRINTED
UNCLASSIFIED
UNCLASSIFIED
UNCONTROLLED-IF-PRINTED
Introduction
1.
Defence personnel and external service providers may need to undertake duties outside their office or
usual workplace. Working off-site, however, brings with it additional protective security risks that cannot be
managed in the same way as work undertaken in the office.
2.
The purpose of Defence Security Manual (DSM) Part 2:31 is to reduce the security risk associated
with off-site work by defining the security policy regarding off-site work and the additional security measures
required.
Policy
ic
3.
Defence will ensure that where there is a requirement for individuals to perform off-site work, the
necessary security measures and practices will be in place to ensure official information is protected in a
manner that prevents unauthorised access by, or disclosure to, those who do not have the appropriate
security clearance and/or a need to know.
Process
Approvals
bl
4.
Off-site-work must not [Auth:None] be conducted prior to approval by an appropriate delegate in
accordance with the roles and responsibilities section of this DSM Part.
5.
Commanders, managers or contract managers that are either approving or processing an approval to
a higher authority must [Auth:None] ensure that:
any individual that is approved to engage in off-site work has read this DSM part and any
applicable referenced material and acknowledges their understanding of their responsibilities;
and
Pu
a.
b.
there is a home-based work agreement established for:
(1)
home-based work; or
(2)
any work-from-home arrangement involving the physical storage of information with a
‘handle-as’ classification PROTECTED or above.
Protecting Official Information
6.
When engaged in off-site work, including remote access, Defence personnel and external service
providers must not [Auth:None] allow people who are not appropriately cleared or do not have a need to
know to view, overhear or otherwise access any official information which has not been authorised for public
release.
7.
To guard against unauthorised access, including that which is accidental or unintentional, the
information must not [Auth:None] be accessed, read or discussed while in any public site in which uncleared
people can see or hear the information.
8.
Access is permitted, where it is reasonable to assume that uncleared people cannot see, hear or
record the information, to:
a.
UNCLASSIFIED DLM marked information via remote access or in hardcopy; and
DSM Part 2:31 Page 2 of 15
UNCONTROLLED-IF-PRINTED
UNCLASSIFIED
UNCLASSIFIED
UNCONTROLLED-IF-PRINTED
b.
information classified PROTECTED and above in softcopy only via an accredited remote access
system such as DREAMS, or via a device that has a ‘handle-as’ classification of For Official Use
Only (FOUO) or lower.
Example:
It is acceptable to work on a Defence laptop using the DREAMS accessing up to
PROTECTED content at home or in a hotel room when uncleared people cannot see the information.
9.
Hard copy documents and ICT equipment and media with a ‘handle as’ classification of PROTECTED
or above must not be accessed in a public site.
Example:
Printed PROTECTED documents, unencrypted SECRET CDs or other devices that
do not implement Australian Signals Directorate (ASD) approved encryption to reduce the ‘handle as’
classification to UNCLASSIFIED or FOUO cannot be used or accessed in a public site. They are to
remain secured in accordance with DSM Part 2:33 Physical Transfer of Classified Information and
Security-Protected Assets at all times in such locations.
ic
Note:
Overnight carriage of classified information is covered in DSM Part 2:33 Physical Transfer of
Classified Information and Security-Protected Assets. Access to this material is not permitted while in
transit between secure locations. It is to remain secured in a tamper evident enclosure in accordance
with the aforementioned DSM part.
10. Hard copy documents and ICT equipment and media with a ‘handle as’ classification of PROTECTED
or above must not be accessed at home without a home based work agreement. Access to this material
under an ad hoc work from home arrangement is not permissible. Access always requires a home based
work agreement.
bl
Note:
There are no circumstances where you can ‘informally’ remove PROTECTED and above
hard copy material or unencrypted devices in order to conduct off-site work. This applies regardless of
any remote access approvals in effect. In these circumstances secure storage is required.
Example:
A user has been supplied a SECRET Personal Digital Assistant (PDA) with ASD
approved encryption allowing remote access from home or other locations. The user cannot remove a
SECRET document or unencrypted SECRET laptop or CD as they cannot secure them at home.
Pu
Protecting Classified Conversations
11. It is easier to record a classified conversation than it is to mount a camera to record a laptop's screen
or a document being read. The risk of conducting classified conversations is therefore much higher than
reading an email or typing a document. Secure mobile phones with ASD approved encryption are a
particular risk because they are issued in order to allow the user to make classified calls from unsecured
areas.
12. Classified conversations are to be protected from being overheard or recorded when being conducted
off-site. The following measures are designed to reduce the threat of classified conversations being
overheard or recorded:
a.
Classified conversations, including telephone calls and mobile video conferences, must not
[Auth: None] be held in hire cars, hotel rooms, or conference rooms that are themselves not
audio secured as approved by the Australian Government. These areas are at high risk of audio
surveillance, particularly when travelling overseas.
b.
Holding classified conversations in other closed public spaces, while sitting or standing in one
place, easily allows the conversation to be overheard or recorded. Classified conversations
must not [Auth: None] be held in closed public spaces including, but not limited to, public
aircraft, airport lounges, while at the local cafe etc.
Note:
Hire cars are at increased risk as modern vehicles now come with an imbedded internet
connected mobile phone that can be remotely activated without the occupant’s knowledge.
DSM Part 2:31 Page 3 of 15
UNCONTROLLED-IF-PRINTED
UNCLASSIFIED
UNCLASSIFIED
UNCONTROLLED-IF-PRINTED
c.
Where no secure facility is available and a classified conversation/telephone call is essential to
Defence business it is recommended to find an open public place such as a park or other open
area and conduct the conversation while walking, being careful to ensure the conversation is
not overheard by casual observers. Parks and open areas offer the greatest protection from
both casual and deliberate audio surveillance.
Note:
If you or your companions are carrying a private phone and a secure phone, the private
phone may be targeted in order to intercept a secure phone call. Therefore leave private phones
behind, or turn them off completely by removing the battery, when engaged in classified discussions.
Smart phones are computers connected to the Internet and a smart phone’s microphone and camera
can be turned on at anytime without a user’s knowledge.
The risk of audio interception is greatly increased when travelling overseas. It is therefore
recommended that wherever possible classified information including conversations/telephone
calls is accessed within secured facilities. Allied secure facilities are acceptable, provided they
are accredited to the appropriate level. Do not discuss Australian Eyes Only (AUSTEO)
material.
e.
Where classified conversations need to be conducted at home, e.g. on a secure phone,
particular attention needs to be paid to the presence of uncleared adults, young adults and
children. Children over the age of 10 years generally have a well-developed long term memory,
a good ability to comprehend information, and a strong sense of curiosity. Exposing them to
classified information therefore represents a significant security risk. Where there is an
expectation that classified discussions will occur regularly at home, advice on audio security
countermeasures must be sought from the Defence Security and Vetting Service (DS&VS) as
there may be an increased risk of targeting by Foreign Intelligence Services.
bl
ic
d.
Geolocation Security
13. In the rare event that your location or out of office trip is itself classified then you must protect your
location data. In order to do this:
do not use your private mobile (its unique ID/SIM card can be used to track you, especially
overseas);
Pu
a.
b.
remember to turn off your GPS;
c.
disable any application location services;
d.
do not log into to your social networks; and
e.
do not take tourist photos.
Note:
Geolocation security may apply to operations and operational areas, where this is the case
this will be covered in an Operational Security instruction.
Physical Storage Requirements for Off-Site Work
14. Defence personnel and external service providers conducting off-site work are required to comply with
the procedures for handling and protecting official information during use, storage, transfer and transmission
as outlined in the DSM Part 2:60 Physical Security.
Note:
Special requirements exist for the overnight carriage of information classified PROTECTED
or above (see DSM Part 2:33 Physical Transfer of Classified Information and Security-Protected
Assets).
15. Physical storage measures for ICT equipment may be reduced by using ASD approved encryption
that reduces the 'handle-as' classification of electronic devices and media to a lower classification.
DSM Part 2:31 Page 4 of 15
UNCONTROLLED-IF-PRINTED
UNCLASSIFIED
UNCLASSIFIED
UNCONTROLLED-IF-PRINTED
16. Accredited remote access systems and products that implement ASD approved encryption reduce the
‘handle-as’ classification when the encryption is active. These protection measures don’t work if the
encryption is not activated. Depending on the device this could occur if the device is in standby power mode,
therefore users must follow the device’s Standard Operating Procedures (SOP) to ensure that it is placed in
a secure state if the device is to be left unattended.
Example:
A High Grade Silicon Data Vault (HGSDV) encrypted laptop uses ASD approved
encryption to reduce the device's classification from SECRET to UNCLASSIFIED. A safe is not
required to store the device when powered off, but the device still needs to be protected from theft.
17. Whenever any information with a 'handle-as' classification of PROTECTED or above needs to be
stored at home, a home-based work agreement is required.
Disposal of Official Information
ic
18. Defence personnel or external service providers working off-site are required to dispose of classified
waste in accordance with DSM Part 2:30 Classification and Protection of Official Information. If classified
waste generated off-site cannot be disposed of appropriately, it must [Auth:None] be securely stored until it
can be securely transferred to a facility that can properly dispose of the waste.
Reporting of Security Incidents or Change in Security Circumstances
bl
19. When Defence personnel or external service providers working off-site become aware of any incident
that may indicate or suggest that security classified material has been compromised, tampered with or
stolen, they are to immediately report this in accordance with the DSM Part 2:12 Security Incidents and
Investigations.
Note:
Early reporting in accordance with DSM Part 2:12 Security Incidents and Investigations may
prevent further compromise and minimise the extent of damage of the security incident.
Remote Access
Pu
20. Defence permits remote access to some of its ICT networks via accredited remote access solutions. In
some circumstances it may also supply users with a stand alone device such as a laptop to conduct off-site
work. Remote access permits authorised users to conduct off-site work on a variety of devices. Approvals for
remote access are conducted when the account/device is requested and remain in effect until the
account/device is surrendered or the user changes positions.
Note:
The granting of a remote access approval does not permit the removal of hardcopy
information classified PROTECTED or above. Whenever information with a 'handle-as' classification of
PROTECTED or above needs to be stored at home, a home-based work agreement is required.
Remote Access Approvals
21. Before granting remote access to a user, the area provisioning the capability must [Auth:None] gain
the approval of an appropriate delegate in accordance with the roles and responsibilities section of this DSM
Part.
Remote Access Processing Restrictions applicable to Systems Administrators
22. The risk of compromise to networks increases greatly when remote access solutions are used to
undertake systems administration activities from beyond the network boundary.
23. In accordance with ISM Control 0985 or ISM Control 0709 (dependent on the classification of the
system being remotely accessed) remote privileged access must not [Auth:Sec, No Delegate] be
undertaken unless the remote access system has been accredited specifically for this purpose and has been
DSM Part 2:31 Page 5 of 15
UNCONTROLLED-IF-PRINTED
UNCLASSIFIED
UNCLASSIFIED
UNCONTROLLED-IF-PRINTED
granted a dispensation against these ISM controls. This includes logging onto the remote access system
with user level privileges, then escalating to privileged access within the session.
Restrictions on ICT Equipment used for Off-Site Work And Remote Access
24. Public devices are extremely vulnerable to exploitation and are assumed to be compromised and
actively collecting information including by hardware and software techniques such as keyboard logging,
screen scraping or remnant data access from memory. These techniques are widespread and are often used
to collect valuable commercial information from public computers. These techniques are used to capture
encrypted information when it is displayed or entered in unencrypted form.
25. As a result of the increased risk of using public devices the Australian Government has directed within
the Protective Security Policy Framework (PSPF) that the use of these devices is to be prohibited. Therefore,
Defence personnel and external service providers must not [Auth:None] use public devices to access any
official information that has not already been authorised for public release or to perform remote access to
Defence systems.
ic
Note:
This restriction includes all forms of access including using remote access systems from
public computers or reading material on a CD, encrypted thumb drive or other removable media from
these devices.
bl
Example:
Defence personnel or external service providers may log in to an airport lounge
terminal to view the Defence external (Internet) home page to read a published report. However,
Defence personnel or external service providers may not use the terminal to log into DREAMS or to
read official information that has not been approved for public release, regardless of whether it is
stored on an encrypted flash drive.
26. Defence personnel and external service providers must not [Auth:None] use privately owned devices
to process any official information that has not been authorised for public release.
Exclusion:
In accordance with the ISM Control 0693, privately owned devices may be used for
remote access to Defence networks up to PROTECTED via accredited remote access solutions.
Pu
Exclusion:
Access is also permitted to information that is hosted via an accredited solution from
a privately owned device.
Example:
You can use DREAMS from your home computer or own phone because DREAMS
is accredited and the endpoints are privately owned devices.
Example:
You can use the self service functions of PMKEYS, CAMPUS etc offered over the
internet via the Defence gateway from your own computer. The gateway solution that offers the
information is accredited and the endpoint is a privately owned device.
Example:
You cannot email your work to your own device, read or access Defence material on
a CD, encrypted thumb drive or other removable media from a privately owned device. In this instance
there are no protections in place for the information.
27. In accordance with ISM Control 0694, privately owned devices must not [Auth:Sec, No Delegate] be
used for remote access to information and systems classified CONFIDENTIAL and above.
28. Users with a requirement for CONFIDENTIAL and above remote access must [Auth: None] use an
accredited Defence-controlled remote access device and receive approval by an appropriate delegate in
accordance with the roles and responsibilities section of this DSM part.
29.
Remote access devices used to process information CONFIDENTIAL or above must [Auth:None]:
a.
use ASD approved encryption to reduce the 'handle-as' classification to UNCLASSIFIED, or
FOUO; or
b.
handle and store the device in accordance with its actual classification.
DSM Part 2:31 Page 6 of 15
UNCONTROLLED-IF-PRINTED
UNCLASSIFIED
UNCLASSIFIED
UNCONTROLLED-IF-PRINTED
Work-from-Home
30. Defence employees may work from home on an irregular and casual basis with a commander or
manager’s approval. This includes the use of a remote access solution such as DREAMS.
31. Employees may take home hardcopy UNCLASSIFIED DLM marked material such as a FOUO
document, provided that it is stored from casual unauthorised access while at home using a locked
commercial filing cabinet or locked secure briefcase, over which the employee maintains positive control.
32. There are no circumstances where an employee can ‘informally’ remove PROTECTED and above
hardcopy material in order to take it home. Whenever information with a 'handle-as' classification of
PROTECTED or above needs to be stored at home, a home-based work agreement is required (see
paragraph 34.b).
Home-Based Work
ic
Example:
Even where an employee has a DREAMS account and can use this to work from
home on up to PROTECTED softcopy material the employee can not take a hardcopy of
PROTECTED or above documents home, even if it is only overnight.
33. The Australian Government encourages flexible working arrangements. While home-based work is not
an individual's right, security considerations in and of themselves do not prevent Defence employees from
conducting home-based work.
A Defence employee must [Auth:None] enter into a home-based work agreement:
a.
where Defence has agreed to flexible working arrangements that permit the conduct of regular
working hours from home as part of the employees conditions of employment; or
b.
whenever information with a 'handle-as' classification of PROTECTED or above needs to be
stored at home.
Pu
34.
bl
Approval
Note:
Sites not under the sole control of the Australian Government are treated as Zone One for
physical security purposes. See DSM Part 2:60 Physical Security for further information.
Example:
A Defence employee who is working at an alternate location such as a shared office
may not be able to exercise complete control over alarms and may therefore require a home-based
work agreement.
35.
Commanders and managers must not [Auth:None] allow home-based work to occur unless:
a.
a home-based work agreement is in place which is approved by an appropriate delegate in
accordance with the roles and responsibilities section of this DSM part;
b.
the home and any ICT systems in use have been accredited to handle the highest classification
of work to be conducted in accordance with DSM Part 2:4 Facilities and ICT Systems Security
Accreditation;
c.
SOP for the transfer, handling, storage and destruction of official information at the home-based
site has been developed; and
d.
the home-based employee has been briefed by their security officer on the policies contained in
this DSM Part and the agreed SOP.
DSM Part 2:31 Page 7 of 15
UNCONTROLLED-IF-PRINTED
UNCLASSIFIED
UNCLASSIFIED
UNCONTROLLED-IF-PRINTED
36. Commanders and managers are responsible for the security aftercare of their employees in
accordance with DSM Part 2:20 Personal Security Clearance Processes. Staff who are working away from
the office, particularly in remote locations, for example, when accompanying a spouse on a posting, may
become disconnected from regular support mechanisms. Therefore commanders and managers need to pay
particular attention to personnel security aftercare in these circumstances.
37. Commanders and managers are responsible for ensuring that their home-based employees comply
with SOP. If the commander or manager has evidence that a home-based employee has failed to comply
with their security responsibilities and they have not responded to counselling and performance management
processes they should cancel the agreement and revert to standard working arrangements.
Home-Based Work Agreement
The agreement must include:
a.
b.
the maximum classification of work to be conducted by the employee including:
(1)
classification of discussions;
(2)
classification of information processed on ICT systems; and
(3)
classification of information stored;
bl
39.
ic
38. The home-based work agreement details the conditions of the home-based work and sets out the
obligations for the home-based employee to protect any official information at the home-based site. It is
developed by the commander or manager with the assistance of the security officer. It includes the
resources that Defence (or in the case of an external service provider the employer) may supply in order to
meet security requirements.
a completed security risk assessment;
Note:
The assessment is to address both security (including physical security) and any safety
concerns that may arise from employment.
Pu
Example:
A redeployment case worker could have an increased risk to their personal safety
arising from frequent contact with disgruntled staff in addition to regular work health and safety
matters, these may dictate additional physical security measures such as a duress alarm.
c.
the equipment that is to be supplied by either party or shared in order to perform the duties;
d.
any restrictions on equipment usage;
Example:
A requirement for family members not to use a Defence supplied computer
e.
if ICT or physical accreditation is required, a copy of the accreditation certificate(s);
f.
Defence’s right to conduct compliance checks in order to determine how official resources are
protected at the home-based site;
g.
procedures for the secure storage of official information, including the provision of security
containers suitable to store the maximum classification of information;
h.
procedures for the disposal or return of classified waste;
i.
a requirement to report any security related incidents at the premises to DS&VS; and
j.
procedures for the transfer of classified material to and from the home-based site.
DSM Part 2:31 Page 8 of 15
UNCONTROLLED-IF-PRINTED
UNCLASSIFIED
UNCLASSIFIED
UNCONTROLLED-IF-PRINTED
Accreditation
40. For accreditation purposes, a home-based site is considered the same as any other Defence facility
and may require accreditation. To determine if accreditation is required refer to the DSM Part 2:4 Facilities
and ICT Systems Security Accreditation.
41.
Physical accreditation of a home-based site is not required where information is only:
a.
accessed in electronic form up to PROTECTED, and the access device is protected by a ASD
approved encryption that reduces the 'handle-as' classification to UNCLASSIFIED or FOUO
when not in use; and
b.
UNCLASSIFIED and DLM material is accessed in hardcopy form.
Reporting of Security Incidents and Concerns
ic
42. Defence personnel or external service providers must [Auth: None] immediately report to DS&VS any
activity that could threaten the security of official information, regardless of whether information compromise
has occurred.
Example:
A failed break and enter at a home-based work property may require additional
security measures to be implemented even though there is no evidence of Defence material being
targeted.
Any recommended remedial action arising from an incident must then be taken by the employee.
Costs
bl
43.
44. For Defence employees the cost of any modification to the private residence to meet the standards of
any physical and information systems security requirements are subject to negotiation between the
employee and the relevant Group or Service.
Pu
Compliance Checks
45. Regular compliance checks of a home-based work agreement may be conducted in accordance with
the terms and conditions outlined within DI(G) PERS 49-4 or the DECA.
Protecting Official Information at Events such as Conferences and Workshops
46. It is recommended that a risk assessment be completed for events handling UNCLASSIFIED DLM
marked material as exposure of this material in an event context is likely to have increased reputation
impacts.
47.
A risk assessment must be carried out for events:
a.
involving classified information or classified equipment and in the case of conferences involving
CODEWORD material the agreement of the relevant compartment controller must be gained;
and
b.
public or family open days to Defence or DISP accredited facilities.
48. Security instructions must be developed before any event is held in a public venue or Zone One area
involving classified information, classified assets or other official information that has not been approved for
public release.
Example:
facility.
When organising a workshop involving classified material that is held in an off-site
DSM Part 2:31 Page 9 of 15
UNCONTROLLED-IF-PRINTED
UNCLASSIFIED
UNCLASSIFIED
UNCONTROLLED-IF-PRINTED
49.
It is recommended that instructions are developed for other situations not meeting the above criteria.
50. Security instructions can be simple but need to be tailored to the event. Depending of the nature of the
event, they need to consider:
entry and access control, including identification of staff and visitors, escort requirements, ratio
of visitors to escorts;
b.
the carriage of official information to and from the venue;
c.
security clearances of facilitators, venue staff, escorts;
d.
the storage and handling of official information that is not for public release, including disposal
and reproduction;
e.
access control procedures;
f.
the reporting of security incidents;
g.
security of equipment on display or in attendance;
h.
safety of attendees, including any requirement for an emergency service presence;
i.
possibility of protest action or Foreign Intelligence Service collection activity (advice on these
matters may be sought from DS&VS); and
j.
where the event is held on a base or Defence facility contingency plans for any increase in
SABEASE alert levels that may affect the event.
bl
ic
a.
Pu
51. If classified information is to be discussed in non-accredited areas, advice must be obtained from
either the DS&VS or in the case of CODEWORD information, compartment controllers as technical
surveillance countermeasures (TSCM) may be required (see DSM Part 2:65 Audiovisual Security for
Classified Activities).
Note:
TSCM measures may also be required after events depending on the level of access that
has been granted to audio secure and PED prohibited areas.
52. If classified information or assets need to be stored in a Zone One or Two event site, for example
overnight storage, advice should be obtained from the DS&VS regional office (see DSM Part 2:60 Physical
Security).
Note:
For more general guidance on event security see DSM Part 2:2 Security Risk Management
and Planning Annex A.
Roles and Responsibilities
Deputy Secretary Intelligence and Security
53.
for:
Deputy Secretary Intelligence and Security (DEPSEC I&S) is responsible for approving off-site work
a.
information that is classified TOP SECRET or carries a CODEWORD; and
b.
remote access to TOP SECRET and CODEWORD information and networks.
Note:
In accordance with the PSPF the removal of TOP SECRET and CODEWORD information in
order to work-from-home is not permitted without prior authorisation.
DSM Part 2:31 Page 10 of 15
UNCONTROLLED-IF-PRINTED
UNCLASSIFIED
UNCLASSIFIED
UNCONTROLLED-IF-PRINTED
54.
These responsibilities may be delegated no lower than SES Band 1/O7.
Group Heads and Service Chiefs
55.
Group Heads and Service Chiefs are responsible for approving off-site work that involves:
a.
the physical storage of classified information with a ‘handle-as’ classification of PROTECTED,
CONFIDENTIAL and SECRET information, excluding CODEWORD information; and
Example:
b.
56.
Use of unencrypted laptops, storage of physical documents etc.
remote access for CONFIDENTIAL and SECRET systems, excluding CODEWORD systems.
These responsibilities may be delegated no lower than SES Band 1/O7.
CODEWORD Compartment Controllers
ic
Compartment controllers are responsible for:
a.
in respect to compartments managed on behalf of external agencies, liaising with those
agencies on matters of shared security risk; and
b.
providing advice to DEPSEC I&S with regard to the approval, or otherwise, of off-site work
involving official information that carries any CODEWORD for which they have a compartment
control responsibility.
bl
57.
First Assistant Secretary Security and Vetting Service
58. The First Assistant Secretary Security and Vetting Service (FAS S&VS) sets Defence protective
security policies associated with off-site work.
Pu
59. FAS S&VS is responsible for assessing the security arrangements and managing the accreditation for
home-based work arrangements for Defence personnel and external service providers employed in joint
service, Defence civilian units and DISP facilities.
Service Security Authorities
60. The Service Security Authorities (SSA) are responsible for assessing the security arrangements and
managing the accreditation for home-based work arrangements for Defence personnel and external service
providers employed in single-service units.
Commanders, Managers and Contract Managers
61.
Commanders, managers and contract managers are responsible for the approval of off-site work:
a.
where physical storage is required for UNCLASSIFIED Dissemination Limiting Marker (DLM)marked information;
Note:
Commanders, managers and/or contract managers cannot approve off-site work that
requires physical storage of information with a ‘handle-as’ classification of PROTECTED or above.
b.
for remote access to systems up to PROTECTED; and
Example:
c.
An encrypted Defence laptop used for DREAMS access.
for the conduct of work in Defence-supplied accommodation (whether in barracks, on exercise
or deployment).
DSM Part 2:31 Page 11 of 15
UNCONTROLLED-IF-PRINTED
UNCLASSIFIED
UNCLASSIFIED
UNCONTROLLED-IF-PRINTED
Note:
In the majority of cases, Defence-supplied accommodation is not suitable for the conduct of
classified work.
62. Commanders, managers and contract managers are responsible for staffing all other requests to
DEPSEC I&S or the relevant Group Head or Service Chief.
Security Officers
Security officers are responsible for:
a.
assisting the commander, manager or contract manager to develop the security elements of a
home-based work agreement;
b.
briefing the home-based employee on the policies contained in this part of the DSM and any
agreed SOP; and
c.
briefing staff on any other off-site work security obligations.
External Service Provider Managers
ic
63.
64. External service provider managers are responsible for gaining the approval for off-site work for any
affected staff from or through the relevant Defence contract manager before permitting work from home to be
conducted using Defence information.
bl
Defence Personnel and External Service Providers
65. Defence personnel and external service providers are responsible for complying with this DSM part
and any other applicable instructions relating to any off-site work in which they engage. They are responsible
for ensuring there is no unauthorised access by others to the official information that they access as part of
the off-site work.
Pu
Key Definitions
66. Off-site work. Work undertaken in any location that would not be recognised as a usual workplace or
one where Defence would not normally conduct day-to-day official business. Examples of this type of work
may include work undertaken at home, during travel, in a hotel or conference centre, or by a Defence
employee at a Defence contractor’s premises. It does not include work conducted on operations and
exercises (with the exception of approval processes for the conduct of classified work in accommodation
areas such as barracks). Off-site work includes:
a.
Home-based work. A subset of off-site work that includes the regular performance of ordinary
hours of duty at home performed at a home-based site.
b.
Work-from-home. A subset of off-site work that includes the occasional, irregular and nonongoing performance of duties conducted at a home that has not been accredited and has not
been approved as a home-based site. Work-from-home is an ad hoc arrangement between a
supervisor and an employee that allows the employee to temporarily perform duties from their
home.
c.
Remote access. Access to a Defence stand alone computer or network from outside of either
the normal office environment or a home-based site. Remote access is characterised by:
(1)
Example:
the provision of a ICT device that implements ASD approved encryption in order to permit
offline work on official information that is not for public release; or
Laptop supplied for home use.
DSM Part 2:31 Page 12 of 15
UNCONTROLLED-IF-PRINTED
UNCLASSIFIED
UNCLASSIFIED
UNCONTROLLED-IF-PRINTED
(2)
accessing a system or desktop session of any classification from a external network via
an accredited gateway.
Example:
Defence Remote Electronic Access and Mobility Services (DREAMS) access to the
Defence Restricted Network (DRN).
Exclusion:
Remote access does not cover Defence ICT support to Australian Defence Force
(ADF) deployments or exercises, this is considered normal business.
67. Home. A private dwelling, Defence supplied accommodation including service accommodation in
barracks and on exercise or an approved alternative place of work.
Exclusion:
For industry where the private dwelling is the primary place of business it is
considered as a facility and accredited in accordance with DSM Part 2:4 Facilities and ICT Systems
Security Accreditation.
68. Home-based site. A security accredited private dwelling or other location that has been agreed
between Defence and an employee as regular place of work.
Home-based employee. An employee working at a home-based site.
ic
69.
70. Home-based work agreement. A formal agreement between an employee and Defence documenting
the conditions of home-based work. Agreements for:
ADF members are conducted in accordance with DI(G) PERS 49-4;
b.
APS employees are conducted in accordance with the Defence Enterprise Collective
Agreement (DECA); and
c.
External service providers will be documented via specific contract provisions.
bl
a.
71. Public site. Any place where neither the employee nor Defence can exert physical control over the
local environment.
Hotel conference rooms, public transport, airport lounges etc.
Pu
Example:
72. Defence Controlled Device. A device is under Defence control if it is owned by Defence or is subject
to any agreement that legally binds the owner of the device to comply with all DSM and ISM security policies.
Defence controlled devices include security classified assets owned by Defence Industry Security Program
(DISP) members.
Example:
A DISP member supplies their own computer to process SECRET information. DISP
membership contractually obliges the company to comply with all Commonwealth policies and the
DSM therefore the device is under Defence control.
73. Privately Owned Device and Public Devices. Home computers, PED, laptops, phones and
removable media or any other form of computing device that is owned by an individual or a company and is
not subject to Defence control.
a.
Privately Owned Device. Is a device where the end user has administrative control,
responsibility and legal authority over the devices configuration. End users can exert control
over these devices.
Example:
software.
b.
A home computer or personal mobile phone. The end user can install virus detection
Public Device. A subset of Privately Owned Devices where the end user has no administrative
control over the device, they are not responsible for, and have no legal authority over, the
configuration of the device.
DSM Part 2:31 Page 13 of 15
UNCONTROLLED-IF-PRINTED
UNCLASSIFIED
UNCLASSIFIED
UNCONTROLLED-IF-PRINTED
Example:
Internet kiosks and shared computers in hotels.
74. Australian Signals Directorate approved encryption. Any cryptographic functionality that is
implemented in accordance with all of the relevant requirements of the ISM Cryptography Section (including
any product specific advice or in the Australian Communications-Electronic Security Instructions (ACSI)
series publications) in order to reduce the handling and storage requirements of the device.
75. Actual and ‘handle-as’ security classifications for encrypted devices and media. Where ASD
approved encryption is applied to a device/media, that device/media has two different classifications. These
are:
a.
the actual classification: the highest classification of information stored on or processed by the
device/media, regardless of whether encryption has been applied;
Note:
This classification also applies whenever the device/media is in a keyed state, i.e. where the
classified information is accessible in an unencrypted form.
the ‘handle-as’ classification: the classification of the device/media when the classified
information it contains is fully protected by encryption;
ic
b.
76. Note:
This classification enables the device to be stored and physically transferred at a reduced
classification due to the protection provided to stored information through the application of suitable ASD
approved encryption technology.
If ASD approved encryption is not used, the actual and ‘handle-as' classifications are the same,
ie, the highest classification of data stored or processed on the device/media.
bl
a.
77. Exclusion: Some ASD approved technologies such as remote access solutions (eg, DREAMS) have
been evaluated to ensure that information is not recoverable from the hosting device once the session ends.
In these instances the product’s evaluation documentation will advise of the levels of protection offered.
Further Definitions
Further definitions for common DSM terms can be found in the Glossary.
Pu
78.
DSM Part 2:31 Page 14 of 15
UNCONTROLLED-IF-PRINTED
UNCLASSIFIED
UNCLASSIFIED
UNCONTROLLED-IF-PRINTED
Annexes and Attachments
This part currently has no annexes or attachments.
Pu
bl
ic
N/A
DSM Part 2:31 Page 15 of 15
UNCONTROLLED-IF-PRINTED
UNCLASSIFIED