Information Security

9. Information communications technology security

Schools must have processes in place to ensure the security of all school-managed ICT assets throughout their lifecycle. This must include:

• managing the security of ICT equipment (for example, laptops, hard drives, USB drives) and replacing them when necessary
• managing electronic records on storage media to ensure their authenticity, security, reliability, and accessibility
• securely decommissioning school-managed computer equipment and storage media including hard drives and USB devices
• adopting and regularly reviewing appropriate technical controls such as network configuration and anti-virus and patching arrangements.

Asset management

• Schools must maintain an up-to-date inventory of all school-managed ICT assets, including both hardware and software. This inventory should be comprehensive and include details such as asset type, location, and status.
• Schools should implement a system for tracking assets throughout their entire lifecycle, from initial acquisition to final disposal. This tracking should cover both on-site and off-site assets, in accordance with Section 13 Asset and Inventory Management of the Finance Manual – Financial Management for Schools policy.
• By 2028, schools must transition to department-provided technologies where available. The department will contact schools about the migration process.
• The Securing Connected Learners (SCL) Program supports schools in the transition to department-provided technologies including the decommissioning of school-managed technologies and identities. Further information is provided in the Technologies and ICT Services policy.

Secure disposal of computer equipment

Schools must properly dispose of all computer equipment to protect school and personal information from unauthorised access, such as exposure to the public.

Computer equipment includes any computerised equipment that stores school or personal information. Devices defined as computer equipment include laptops, desktop computers, media storage devices (for example, hard drives and USB drives), printers, faxes, security systems and network devices. The equipment may be owned or leased by the school or may be staff-owned devices used for school purposes.

As part of the disposal process:

• all data must be removed or destroyed from the equipment
• the equipment must be de-identified
• appropriate approvals and documentation completed and retained.

It is also essential that the Records Management and Software and Administration Systems policies are followed as part of the disposal process.

Secure disposal of the computer equipment can be done by technical staff at the school by following this guidance. If a school lacks the expertise or resources to do this, the school may engage a certified third-party supplier who specialises in disposal of computer equipment.

Reasons for disposal

• End of economic life – equipment is no longer fit for purpose or economical to run
• Faulty – equipment has a fault that is uneconomical to repair and the cost of the repair is greater than the straight-line depreciated value of the equipment or a repair cannot be made due to unavailability of parts
• Damaged – equipment has been damaged due to negligent or deliberate action, or through accidental causes such as fire, flood or electrical overload and it is uneconomic to repair because the cost of the repair is greater than the straight-line depreciated value of the equipment or a repair cannot be made due to unavailability of parts
• Obsolete – equipment no longer able to perform required task effectively or at all
• In excess of entitlement – no longer required as it no longer has, or is likely to have, a business function
• End of lease – the lease period of a equipment has expired, or a lease has been terminated
• Donated to another government school
• Transferred to school student – equipment is transferred to a student as part of a general school program to provide student equipment on an equitable basis
• Donated as foreign aid
• Donated to charitable cause

Disposal process

The process for secure disposal is the same regardless of the reason for disposal. Schools must take the following steps.

1. Obtain approval to dispose of the equipment from the principal or their delegate, as per 'Approval to dispose' below.
2. Prior to sanitising the equipment, any electronic records it contains:
   • that are yet to serve their minimum required retention periods must be exported to another secure storage location or transferred to the department’s relevant system of record
   • that 'time-expired' records, require principal approval to destroy as per the Records Management policy.
3. Sanitise the equipment as per 'Sanitising, destroying and de-identifying computer equipment' below.
4. If there is a significant volume of equipment or the school lacks the expertise to securely dispose of the equipment, a specialist disposal firm can be engaged. If this occurs, the use of a DE contract template is strongly recommended as it will contain key recordkeeping, privacy and information security clauses to help schools comply with related legislation.
5. Remove all identifying labels, writing and markings from the equipment.
6. Document the disposal details and the approval to dispose of the equipment. The Computer equipment disposal form (DOCX) can be used for this.
7. Update the asset register in CASES21 if the equipment is listed there, otherwise keep a log of equipment that has been disposed.
8. Dispose of the equipment using the method described in the approval for disposal.
9. Ensure records of disposal activities are retained for 7 years, as per requirements of the Records Management policy.

Agreements for leasing computer equipment must contain provision for sanitising the equipment by the lessor or their agent on the return of the equipment to the lessor.

If a school finds or suspects that equipment has been disposed of incorrectly and school or personal information may be exposed, they must contact the Service Desk via the Service Portal. A ticket for the matter will then be raised for the Information Security Branch who will provide the school with support and coordinate additional advice from other teams as may be necessary.

Approval to dispose

Disposing of computer equipment requires some form of official approval and record keeping. This is required to ensure disposal is handled correctly in relation to information security, asset management, records management, procurement requirements and integrity considerations.

Approval must be from the principal or delegate in writing and include:

• school name
• details for all equipment being disposed of, including type, make/model and serial number
• reason for disposal
• date of approval and disposal
• disposal agent (if being used).

The Computer equipment disposal form (DOCX)can be used for this approval and documenting the disposal.

The principal may delegate the authority to approve disposal however it must not be to the person managing the disposal process.

The approver must ensure that there is a valid reason for the disposal and that the disposal process is followed, including any additional requirements that may be relevant when the equipment is being disposed of by donation.

Donating equipment

If the computer equipment will be disposed of by donation, this must be done in accordance with the Gifts, Benefits and Hospitality policy.

No current or former staff members, contractors, consultants, school volunteers, or school council representatives, including their family members or associates, shall gain financial or reputational advantages through the disposal of computer equipment – whether directly through payment or indirectly through retention of the equipment for personal or other use – except where such disposal is to school students as part of a general school program providing student equipment on an equitable basis.

Sanitising, destroying and de-identifying computer equipment

Sanitising or destroying

Sanitising computer equipment is the process of removing data from the equipment.

Free and widely used software programs can be used for wiping almost any equipment which stores data and are most commonly used to wipe laptop and desktop hard drives, removeable hard drives, and printers. These programs can also be used to wipe newer solid-state drives, however these drives often have reset keys which can be used instead. The programs can also be used to confirm if data wiping has been successful. A magnetic degausser can be used to wipe equipment that uses magnetic storage instead of using software to do the wiping.

If the wiping processes fail and data is still present, then the storage drive of the equipment needs to be destroyed by removing it and drilling or cutting the drive to destroy the storage area. If equipment is at end of life and will be disposed of in hard rubbish, then physical destruction of storage media and drives is always recommended.

Monitors, keyboards and mice typically do not store data. These can be disposed of without sanitising.

If there is any doubt in the sanitising process or the equipment has been used for very sensitive information the media should be physically destroyed.

De-identifying

An important step schools must take is to ensure the equipment has no markings, labels or stickers which identify the school or previous user. This reduces the risk of disposed equipment becoming a target for closer attention or associated with other individuals or organisations that may cause reputational damage to the school, department, students and staff.

Advice for common computer equipment

Typical equipment that requires this disposal process includes the following.

Computers including laptops, iPads, desktop computers and servers

Sanitise the equipment by removal and destruction of memory and drives using degaussing and or overwriting the data (degaussing is a method of using strong magnetic fields to erase data which is stored using magnetic information, often found in all old-style hard drives).

Computer equipment containing media, memory and hard drives can be sanitised by removing the media from the equipment or by sanitising the media while in the equipment.

Reset iPads back to factory settings after data wiping of memory and storage areas.

Printers and multi-function equipment

Sanitise by removing the printer cartridge or MFD print drum in addition to the removal or sanitisation of any media. If the drum and cartridge are to be retained, then multiple pages of random text in each of the colours should be printed. Any paper jammed in the paper path must destroyed.

Network equipment

As network equipment can store network configuration data or credentials in their memory, the memory should be sanitised prior to the disposal of the equipment. The correct method to sanitise network equipment will depend on their configuration and the type of memory they use. As such, equipment-specific guidance provided by the maker of the equipment, or vendor sanitisation guidance, should be consulted to determine the most appropriate method to sanitise memory in network equipment.

Fax machines

As fax machines can store pages that are ready for transmission in their memory, the memory should be sanitised prior to disposal of the machines. This can be achieved by removing the paper tray, transmitting a fax message with a minimum length of four pages, then re-installing the paper tray and allowing a fax summary page to be printed. In addition, any paper that becomes trapped in the paper path must be removed prior to disposal.

Security measures and maintenance

For school managed ICT networks and infrastructure:

• schools must maintain a secure ICT network by following department policies and requirements, and by adopting appropriate technical controls and consistent management processes. This includes understanding the DE school network model, which consists of an administration network for school business functionality and a curriculum network for the teaching and learning environment
• schools should ensure that the separation between these networks is not breached by unauthorised alterations. Regular software updates (patching) are essential to maintain the security of devices and applications. Schools should pay particular attention to the security challenges facing the curriculum network, including adherence to network and server equipment standards, local network configuration, and management of security controls
• it is crucial that schools ensure their IT support technicians regularly perform risk-prioritised patching or vulnerability management for all systems, infrastructure and software applications under the school's responsibility
• the Technical Support to Schools Program (TSSP) provides specialist technicians to deliver on-site scheduled support for schools, which can assist in this process. Refer to the Technologies and ICT Services policy for further information.

Managing donated ICT equipment and software

Schools must manage donated ICT equipment and software according to department policies to ensure it benefits the school, maintains information security, avoids financial liability, and upholds ethical standards.

Depending on the donor and the nature of the offer, donated ICT equipment or software may be seen as a form of sponsorship or may be part of a philanthropic partnership.

Donors offering ICT equipment and software are likely to be a school supplier and the Gifts, Benefits and Hospitality policy strictly limits when school staff can accept offers from suppliers.

For more information, refer to the Gifts, Benefits and Hospitality, Sponsorship and Philanthropic Partnerships policies.

Donated ICT equipment

Before accepting donated ICT equipment, schools must ensure:

• they obtain documented evidence of equipment ownership from the donor
• they avoid accepting donated equipment where it could be perceived as endorsing an organisation or product
• they are likely to use the equipment being donated
• it is electrically tested and tagged according to the Australian AS/NZS 3760 standard; equipment that fails this test must be refused or discarded
• there are no contingent future hardware maintenance payments to the donor or associated entities
• all data storage is enterprise-wiped to remove previous data
• all pre-installed software, including operating systems, are replaced with licensed software from the department or school.

Donated network equipment (for example, routers, modems, switches) cannot be accepted.

Donated software

Schools must ensure that before software is accepted and used that it complies with the Technologies and ICT Services policy.

As software licenses are not always transferrable, software donations are not permitted unless the donor is an authorised agent of the software vendor or copyright holder.

Donors offering software are likely to be a school supplier. The Gifts, Benefits and Hospitality policy strictly limits when school staff can accept offers from suppliers.

Schools should seek advice from the departments’ legal, procurement and gifts, benefits and hospitality teams before accepting offers of donated software.