On this page

Download the SACSF Ruling 5 – Kaspersky Lab, Inc. Products and Services

Purpose

This Ruling provides a direction to South Australian (SA) Government agencies under the South Australian Cyber Security Framework (SACSF) on the use of Kaspersky Lab, Inc. products and web services on South Australian Government systems and devices.

The Australian Government has made an assessment that the use of Kaspersky Lab, Inc. products and web services poses an unacceptable security risk, arising from threats of foreign interference, espionage and sabotage.

Scope

The Ruling does not impact the use of Kaspersky Lab, Inc products and web services on personal devices, or other manufacturers’ products that have embedded Kaspersky Lab, Inc. code. Agencies that accept the risks of the use of personal devices to access official, sensitive or security classified data (i.e. pursuant to remote access arrangements including Bring Your Own Device (BYOD) or equivalent), must formally assess the risk of Kaspersky Lab, Inc. products or services as part of this policy position.

Ruling

Agencies must prevent the installation of Kaspersky Lab, Inc. products and web services from all South Australian Government systems and devices, and where found, remove all existing instances.

Agencies must manage the risks arising from Kaspersky Lab, Inc.’s extensive collection of user data and exposure of that data to extrajudicial directions from a foreign government that conflict with Australian law.

By 30 June 2025 all agencies must:

  • Identify and remove all existing instances of Kaspersky Lab, Inc. products and web services on all South Australian Government systems and devices.
  • Prevent the installation of Kaspersky Lab, Inc products and web services on all South Australian Government systems and devices. Outline the desired outcome of this standard

Exemptions

  • The Accountable Authority may seek an exemption for a legitimate business reason, limited to national security and regulatory functions, for the use of Kaspersky Lab, Inc. products and web services on South Australian Government systems and devices and must ensure that appropriate mitigations are in place.
  • A legitimate business reason is a need to install or access Kaspersky Lab, Inc. products and web services on South Australian Government systems and devices to conduct business and/or achieve a work objective of an agency.
  • A legitimate business reason must be time limited, follow appropriate mitigations, and be limited to where use is necessary for the conduct of national security or regulatory functions, including compliance and law enforcement functions.
  • Exemptions must be sought through the Office of the Chief Information Officer exemption process.

Roles and responsibilities

Accountable authority
Accountable for the effective implementation of, and compliance with this Ruling within their agency.

Agency Security Executive
Responsible for ensuring that the Ruling is implemented within the agency and that business processes support the Ruling requirements.

Agency Information Technology Security Advisor
Responsible for providing advice on application of this Ruling within the agency environment.

Definitions

Accountable Authority
The person or group of persons responsible for, and with control over, the agency’s operations (e.g. Chief Executive, Commissioner)

Devices
Government owned mobile devices, which includes all mobile phones, handheld computers, tablets, laptops, and personal digital assistants

Kaspersky Lab, Inc. products and web services
All information security products, solutions, and web services supplied directly or indirectly by Kaspersky Lab, inc. or any of its predecessor, successor, parent, subsidiary, or affiliate companies. It does not include other manufacturer’s products that have embedded Kaspersky Lab, Inc. code.