COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name

Transcription

1 COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name Introduction Removable Media and Mobile Device Policy Removable media and mobile devices are increasingly used to enable information access and transfer. However removable media and mobile devices are also a high risk for the Service in terms of loss of information, lack of Corporate access, duplicate work, and potential for attack on CFRS systems. This policy defines how the Service will use removable media and mobile devices while managing information security risks. Knowledge of this policy will enable employees to maintain CFRS security and avoid inadvertently breaching information security. Owner Head of ICT Last Review Created October 2012 Review Due Date Every 2 years Version Control/Amend 4.1 Schedule Cross References ICT Acceptable Use policy Information Security policy Contents Policy statement Responsibilities Procedures 1. Encryption 3. Security of equipment data 4. Loss of equipment data

2 BODY OF POLICY DOCUMENT Appendix 5 to Item 4 Policy Document Name: Removable Media and Mobile Device Policy Policy Element Policy statement CFRS will use adopt appropriate security practices when using mobile devices and removable media, and will ensure that Service information and associated systems are adequately protected. Removable media or mobile devices will only be used for information if this method of access or transfer is absolutely necessary, and only if there is an organisational requirement to do so that cannot be met by any other means. Specific commitments Mobile media and removable devices must not be used to store data on a permanent basis. All Service data must be stored on the Service network to allow Corporate access and ensure it is backed up automatically by ICT. This policy will be applied to: All information stored on mobile devices, or transferred by, removable media. Removable media includes, but is not limited to: - USB sticks - CDs, DVDs - Floppy disks - Memory cards (including Compact Flash, Smart Media, Multi Media, Secure Digital Cards, etc) - External hard drives - Laptops, tablet PC s and PDAs - CFRS issued mobile phones All employees, contractors, temporary staff and employees of other organisations who directly or indirectly support our ICT services who handle CFRS information will comply with these requirements. Responsibilities ICT ICT will encrypt USB drives and portable devices that will be used for the storage and transfer of CFRS data. Employees Employees must only use removable media authorised and purchased through ICT. IMPORTANT: Personally identifiable or confidential information must only be copied to or stored on any removable media in line with the Information Security policy. Please contact the ICT Service Desk and Information Manager if you need

3 advice. Appendix 5 to Item 4 Refer to the Information Security Policy for details. Failure to adhere to this policy which results in an information security breach may lead to appropriate disciplinary action being taken as defined in the Information Security Policy. Procedure Element List of Procedures 1. Encryption 3. Security of equipment data 4. Loss of equipment data 1. Encryption of media Laptops - All CFRS issued laptops will have full disk encryption installed as standard before they re issued to staff. If you are aware of any device that is not encrypted, please notify the ICT Service Desk as soon as possible. USB / removable hard drives Do not store personally identifiable or confidential information on an unencrypted USB / removable hard drive. These devices should only be used for the transfer of information if they are encrypted and you have the permission of the data owner. They should not be used as a storage or back-up device. You must not store or use removable media or mobile devices as back-up systems for any data. These devices are unreliable for this type of data storage and should only be used for the temporary transport of data. Please do not use this type of device for your primary source of data storage. If for any reason the device becomes corrupted, any data will be unrecoverable. Please contact the ICT Service Desk for advice on long term storage and backups. 3. Security of data Sufficient care must be taken to ensure that the removable media is secured at all times and any faults with supplied equipment must be reported to the ICT Service Desk immediately. Failure to do so may result in a security breach. Equipment supplied to customers must be used in accordance with CFRS ICT policies. 4. Loss of data If you lose or have any removable media stolen which contains unencrypted personally identifiable or confidential information, you may be liable to

4 prosecution under the Data Protection Act and may be subject to disciplinary action. Report any loss of removable media or mobile device (even if encrypted) as soon as possible to the ICT Service Desk. Employees are responsible for ensuring that personally identifiable or confidential information is not left on removable media for periods longer than necessary. Information that is no longer required must be promptly deleted from mobile devices or removable media in order to comply with the Data Protection Act. For further advice on the destruction of confidential information, please contact the Information Manager. Employees using removable media should be aware that the data contained on the device may carry a virus or malicious software (malware). When data is copied to a CFRS computer from any removable media, it must be scanned by the anti-virus software on the workstation or laptop. Please contact the ICT Service Desk on the procedure for manual virus scanning. All users must maintain virus and malware awareness. Users of laptops are responsible for ensuring their anti-virus updates are maintained on a regular basis by connecting to the network daily if possible. When a laptop is connected to the CFRS network via a network cable, Wi-Fi or docking station, the anti-virus definitions will update automatically at noon. If you have any concerns or would like advice on keeping your machine up-todate, please contact the ICT Service Desk. Guidance Element USB Devices & Memory Sticks Frequently asked questions I ve received an unencrypted memory stick contain data I need to access, can I use the device? ICT are implementing software to stop the use on unauthorised USB devices and memory sticks. If you need to access data from an unauthorised device please contact the ICT Service desk who will be able to retrieve the data for you and transfer it to a secured device.

5 I have been given an encrypted USB stick from a trusted source but my computer will not read the device? Again, ICT are implementing software to only allow authorised devices. You should contact the ICT Service Desk who will be able to open the device for you and retrieve the data. Does all mobile data need to be encrypted? No, only data which contains personal information, is sensitive or has security restrictions on it need to be encrypted.