On this page

Download the SACSF Ruling 3 - TikTok Use On Government Device

Purpose

This Ruling provides a direction to South Australian Government agencies under SACSF Policy Statement 2.12 Mobile Device Management on the use of the TikTok application on South Australian Government devices.

An assessment has been made that the TikTok application poses significant security and privacy risks and agencies must remove existing instances of TikTok and prevent the installation of TikTok on government issued devices.

Scope

This Ruling 3 relates to the following SACSF Policy Statement:

2.12: Mobile Device Management: Technical and procedural controls must be in place to address the risks associated with the use of mobile devices including mobile phones, smartphones, tablets, laptops, portable electronic devices, portable storage and other portable internet connected devices.

This Ruling does not impact the use of the TikTok application on personal devices. However, agencies that accept the risks of the use of personal devices to access official, sensitive or security classified data (i.e. pursuant to remote access arrangements including Bring Your Own Device (BYOD) or equivalent, must formally assess the risk of TikTok as part of this policy position.

Ruling

Government agencies must prevent the installation and remove existing instances of the TikTok application on government devices (e.g. phones, tablets or computers), unless a legitimate business reason exists which necessitates the installation or ongoing presence of the application.

The Agency Security Executive and agency IT Security Advisor must be consulted in the assessment and approval of a legitimate business reason.

The following risk mitigations must be assessed and implemented within the context of the agency’s ICT environment as part of the approval of a legitimate business reason:

  • Ensure the TikTok application is installed and accessed only on a separate, standalone device without access to services that process, store or access official, sensitive or security classified government information.
  • Ensure the separate, standalone device is appropriately stored and secured when not in use. This includes the isolation of these devices from sensitive conversations and information.
  • Ensure metadata has been removed from photos, videos and documents when uploading any content to TikTok.
  • Minimise, where possible, the sharing of personal identifying content on the TikTok application.
  • Use an official generic email address (for example, a group mailbox) for each TikTok account.
  • Use multi-factor authentication and unique passphrases for each TikTok account.
  • Ensure that devices that access the TikTok application are using the latest available operating system in order to control individual mobile application permissions.
  • Regularly check for and update the application to ensure the latest version is used.
  • Only install the TikTok application from trusted stores such as Microsoft Store, Google Play Store and the Apple App Store.
  • Ensure only authorised users have access to corporate TikTok accounts and that access (either direct or delegated) is revoked immediately when there is no longer a requirement for that access.
  • Carefully and regularly review the terms and conditions, as well as application permissions with each update, to ensure appropriate risk management controls can be put in place or adjusted as required.
  • Delete the TikTok application from devices when access is no longer needed.

Roles and responsibilities

Agency chief executives :
Responsible for the effective implementation of, and compliance, with this ruling within their agency.

Agency executives, directors and managers :
Responsible for ensuring the Ruling is implemented and observed by staff, staff are fully informed of their obligations and responsibilities under the Ruling and any reporting requirements are met.

Agency security executives :
Responsible for ensuring that the Ruling is implemented within the agency and that business processes support the Ruling requirements.
Required to be consulted on and make informed, risk-based decisions on any requests for legitimate business use of TikTok on government devices.

Agency IT security advisor :
Responsible for providing advice on application of this Ruling within the agency environment, and for providing advice on the risks to agency information and services.
Required to be consulted on and provide informed, risk-based advice on any requests for legitimate business use of TikTok on government devices.

All agency staff :
Required to comply with the Ruling and any related procedures, and to play an active role in ensuring the compliance of others.

Definitions

Legitimate Business Reason : 
A legitimate business reason would include:

  • where the application is necessary for the carrying out of regulatory functions including compliance and enforcement functions.
  • where an entity requires research to be conducted or communications to be sent to assist with a work objective (for example, countering mis- or dis- information), or
  • where an entity must use the application to reach key audiences to undertake marketing or public relations activity on behalf of the entity.