Standard Operating Procedure. Secure Use of Memory Sticks

Transcription

1 Standard Operating Procedure Secure Use of Memory Sticks DOCUMENT CONTROL: Version: 2.1 (Amendment) Ratified by: Finance, Infrastructure and Business Development Date ratified: 20 February 2014 Name of originator/author: Information Governance Security Specialist Name of responsible Finance, Infrastructure and Business Development committee/individual: Date issued: 26 February 2014 Review date: March 2016 Target Audience All staff using Trust Encrypted Memory Sticks

2 1. Aim This document is based upon good practice principles and is intended to minimise the risks associated with the use of memory sticks. 2. Scope The principles set out in this document must be applied by all personnel who have access to the Trust s assets; including staff, contractors, volunteers and third parties. 3. Link to overarching policy and/or procedure Informatics Security Policy 4. Procedure 4.1 Definition A memory stick (also known as a pen drive, thumb drive, USB stick, etc.) is a small device that connects to the USB port of a computer and is used to store information. 4.2 Encryption Trust-issued memory sticks are encrypted; therefore if a stick is lost or stolen, the contents are protected against unauthorised access. 4.3 Appropriate Usage Despite their small size, memory sticks have a very large capacity and therefore pose a considerable security risk if they are lost, stolen or misused. Because of this, only approved, encrypted memory sticks that are issued by the Informatics technical department may be used to store any of the Trust s information; the use of any other memory stick for such purposes is prohibited. The use of non-nhs owned PCs or laptops for Trust business is forbidden (see the Protocol For Access Control, section Non-NHS Owned Computer Equipment ), therefore a Trust issued memory stick must not be connected to, or used in a non-nhs owned computer or laptop, including personally owned equipment. There are only two exceptions to this: a. It is permissible to use a memory stick in conjunction with a home or third party computer for coursework being undertaken by the staff member, providing the memory stick does not contain any Trust information. b. When it is necessary to deliver training or a presentation using a non-nhs owned PC or laptop, and there is no viable alternative to using a memory stick. Consideration should be given to taking a Trust laptop to the event or putting the presentation onto a CD or DVD, Page 2 of 6

3 however if this is not possible and a memory stick is the only practicable option, the following precautions must be taken: o the memory stick should only contain the files required specifically for the event o sensitive data must be kept to the absolute minimum o files must be accessed directly from the memory stick and must not be copied onto the PC or laptop o the memory stick must be removed from the PC or laptop when leaving it unattended and immediately the training/presentation is complete. A Trust issued memory stick is an identifiable Trust asset and is recorded on the IT asset register. It must not be left in the possession of any person other than the individual it was issued to. The only exception is when recordings must be conveyed to a course tutor and there is no viable alternative. In this case the following conditions must be satisfied: o The memory stick must contain nothing except the appropriate recording(s). o The memory stick must preferably be handed to the tutor in person or, if that is not possible, it must be sent and returned by recorded delivery. o The password to access the contents of the memory stick must be given to the tutor in person or sent separately from the memory stick itself (e.g. via or telephone). o It is the responsibility of the staff member to notify the course tutor of the password lockout function. If the course tutor enters an incorrect password too many times the memory stick will be wiped. Whatever the circumstances, memory stick usage must be in accordance with that declared on the memory stick request form. When using a memory stick in your normal place of work, to protect its contents, the computer must always be locked (e.g. by using Control-Alt- Del keys) when it is left unattended; if this is not possible, the memory stick must be removed from the computer. When not in your normal place of work or when using a non-trust owned PC or laptop, the memory stick must never be left unattended; always take it with you. Similarly, a memory stick must not be left unattended when delivering training or presentations or when in use in a high-traffic or publicly accessible area. When working on a computer other than the one you normally work on, do not copy files onto the computer; work on them directly on the memory Page 3 of 6

4 stick this will avoid leaving copies of the files on the PC; files can often be retrieved on a computer s hard disc even after they have been deleted. 4.4 Copying / Moving Files Whilst a memory stick is encrypted, once files are transferred off it (such as by moving or copying to a computer s hard disc or attaching to an ) they are no longer encrypted; other measures must be taken to protect such files. 4.5 Deleting Files As a matter of good practise, information on memory sticks should be removed / deleted as soon as it is no longer required. When files are deleted from a memory stick, it is sometimes possible to retrieve them. The only way to be sure that files are permanently deleted and cannot be retrieved is to format the memory stick; this will not normally be necessary as Trust-issued memory sticks are encrypted, however if you need to do this, please seek guidance from the IT Service Desk. 4.6 Storage A memory stick is an electronic device and, as such, should be protected from extreme temperatures, excessive moisture and physical damage. If a Trust issued memory stick ceases to function correctly, it must be returned to the IT Service Desk. 4.7 Backup A memory stick should not be used as a primary data storage device; it should only be used as a secondary or transporting device. In this case it may require backing up; this should be done regularly, preferably to a network drive. If the memory stick s contents are sensitive or confidential, consideration must be given to the security of any backup copies (see Copying / Moving section above). A memory stick should not be used as a backup device network drives are better suited to this purpose as they are regularly backed up and are normally protected by physical security. It is recommended that files are not kept on a PC s hard disc (the C: drive); however if this is unavoidable (i.e. when working off-line), the files should be backed up to a network drive as soon as possible, not to a memory stick. Once backed up, files should be removed from the memory stick if they are no longer required. 4.8 Loss / Theft If a memory stick is lost or stolen, it must be reported to your line manager immediately and to the IT Service Desk as soon as possible. It must also be reported via the Safeguard on-line system by completing an IR1 form, which can be found on the home page of the Trust s Intranet. Page 4 of 6

5 4.9 Training Implications All personnel (including staff, contractors, volunteers and third parties) having access to the Trust s information assets will be made aware of this document and must familiarise themselves with their associated responsibilities. Page 5 of 6

6 Request For an Encrypted Memory Stick This form must be completed by the requestor, signed by the requestor s line manager and submitted to the Information Governance department, Woodfield House, St. Catherine s for approval. Requestor: - Name: Department: Phone no: Please give a brief description of the information to be held on the memory stick: Why must the information be held on a memory stick, as opposed to any other form of storage? Will the memory stick be used in any computer (desktop or laptop) other than your work PC? (if so, please explain) Will the memory stick be used to transfer information to any other device? (if so, please state which device[s] and why) Policy for the Secure Storage and Transfer of Person Identifiable Data Procedure for the Secure Storage and Transfer of Person Identifiable Data By signing below, I confirm that I will use the memory stick according to the principles and practices described in the above documents and all associated policies; and that I will inform the Information Governance department of any significant changes in the usage of the memory stick. Requestor: - Signature: Date: (Important - please refer to the above documents before signing this declaration) Requestor s Manager: - Name: Position: Signature: Cost Code: Date: N.B. the cost of the memory stick is the responsibility of the operating department Information Governance: - Approved? (Y/N) Name: Signature: Date: Comments: Page 6 of 6