User Accountability for Data Transfers
Users are responsible for the data they move between systems.
Plain language
The rule here is simple: if you're moving data between different systems, it's your responsibility to ensure it's done properly and securely. If done improperly, you risk exposing sensitive information or allowing unauthorised folks to get their hands on it, which could lead to financial losses and damage to your reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Users transferring data to and from systems are held accountable for data transfers they perform.
Why it matters
Without user accountability for data transfers, unauthorised exfiltration and leaks can go undetected, increasing breach impact and loss of client trust.
Operational notes
Enable per-user transfer logging and regularly review logs to trace each upload/download to a user and investigate anomalies.
Implementation tips
- Managers should educate employees on the importance of safely transferring data. They can run short training sessions explaining what types of data are sensitive and the right methods to transfer it safely.
- IT teams should implement systems to track and monitor data transfers. Set up software that logs when and where data is moved to ensure accountability and a record of transfers.
- Employees who move data should double-check recipient credentials before completing transfers. Ensure that the person or system receiving the data is authorised to access it by verifying credentials or using a secure directory.
- System owners should set up permissions that control who can transfer certain types of data. Use software tools to configure who has access to data and who is allowed to move it, ensuring only authorised individuals can do so.
- HR should incorporate data transfer responsibilities into job descriptions. Clearly define expectations for employees who handle sensitive data to ensure they understand their role in protecting it.
Audit / evidence tips
- AskSystem logs that track data transfers: Request detailed logs that record when data is transferred, by whom, and to where
- AskTo see the data transfer training materials
- AskA list of authorised data transfer personnel: Request a copy of the list of employees authorised to transfer sensitive data GoodVersion will have recent updates and clear roles and responsibilities assigned
- AskTo review the data transfer permissions setup: Examine the permission settings within the data transfer system. Good permission setups will ensure only authorised users can initiate data transfers, with clear records of who can do what
- AskTo see any incidents related to data transfers: Request reports of any data transfer issues or breaches GoodReport will show a prompt and effective response with lessons learned documented
Cross-framework mappings
How ISM-0661 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.14 | ISM-0661 requires users to be accountable for data transfers they perform to and from systems | |
| Annex A 8.12 | ISM-0661 holds users accountable for data transfers they perform | |
| handshake Supports (1) expand_less | ||
| Annex A 5.10 | ISM-0661 requires user accountability for data transfers across systems | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.