HIGH LEVEL COMPLIANCE REVIEW ELECTRONIC DATA STORAGE DEVICES

Transcription

1 HIGH LEVEL COMPLIANCE REVIEW ELECTRONIC DATA STORAGE DEVICES Standards for Victoria Police Law Enforcement Data Security (Standard 22) November 2008 Commissioner for Law Enforcement Data Security

2 Acknowledgement This report was prepared for the Commissioner by Ros Carter, Principal Policy Advisor, Office of the Commissioner for Law Enforcement Data Security, in consultation with relevant areas and employees of Victoria Police. The cooperation of those members of Victoria Police who provided input to the review is gratefully acknowledged. Published by: The Commissioner for Law Enforcement Data Security PO Box 281 World Trade Centre Melbourne Victoria 8005 November 2008 State of Victoria, 2008

3 Table of Contents Executive Summary 5 1 Introduction Background Purpose and Scope CLEDS Electronic Data Storage Devices Standard Approach Definitions and Abbreviations Compliance Assessment Rating 10 2 Electronic Data Storage Devices Legislation, Policy and Process on disposal of data from electronic data storage devices Roles and Responsibilities 12 3 Review Findings/Observations Documentation of Disposal Requirements The Victoria Police Manual (VPM) The Records Disposal Guide The Document Security Best Practice Guideline Enterprise Information Security Policy, Location Visits and Key Stakeholder Compliance Interviews Victoria Police Computer Hard Drives USB Flash Drives CDs and DVDs Video and Audio Tapes Multi Function Devices Approved Third Party Agreements Coordination of Effort Awareness of policy and procedures 22 4 Conclusions and Recommendations Conclusions Recommendations 24 5 Management Response to Findings and Recommendations 26

4 APPENDIX A Persons Interviewed and Documents Reviewed 27 APPENDIX B Public Records Act 1973 (Section 12) Public Record Office Standard (PROS) 97/003: Destruction of Public Records, APPENDIX C Response to Report by Chief Commissioner of Police 32

5 Electronic Data Storage Devices Executive Summary Under the Commissioner for Law Enforcement Data Security Act 2005, the Commissioner is required to undertake monitoring activities, including audits, to monitor compliance by Victoria Police with standards and protocols established under the Act. A high level compliance review of the Electronic Data Storage Devices law enforcement data security standard (Standard 22) has been undertaken. Standard 22 aims to reduce the risk of law enforcement data stored on electronic data storage devices being accessible to unauthorised persons when it is no longer required. This is to be achieved by either removing the data from the device, or if effective removal cannot be ensured, by destroying the device. Victoria Police has established or is planning to develop a number of processes that demonstrate that they are working towards achieving full compliance with this Standard. These include processes such as: ensuring the sanitisation of Victoria Police personal computer (PC) hard drives prior to the return of the PCs to the lessor for reuse; and the guidelines and processes developed to ensure the effective disposal of VATE statements when they are no longer required. Victoria Police is planning the extension of the media sanitisation processes to enable sanitisation of the hard drives of Multi Function Devices and the development of a Corporate Information and Records Management Strategy. Victoria Police has also recently developed a revised standard Agreement for negotiation with Approved Third Party organisations (ATPs) which incorporates clear reference to the requirements of all the CLEDS Standards and protocols, including the disposal of data from electronic data storage devices. This will ensure that Victoria Police fully complies with this Standard as it relates to ATPs, as opposed to the 41% compliance rating found during this high-level review. There are a number of improvements to be made before Victoria Police can be judged to be fully compliant with Standard 22. These are discussed below. While there is information relating to the disposal of law enforcement data from electronic data storage devices available across Victoria Police, there is no single, consistent and up to date documentation. The lack of integrated documentation necessitates responsible staff at individual locations finding and pulling these instructions together into a single document for the use of their local staff. The approach to ensuring the encryption of data held on USB flash drives and processes developed to monitor compliance with this requirement is varied and uncoordinated across Victoria Police. Business Information Technology Services (BITS) lists an approved USB device in their catalogue which comes with encryption software. The use of this flash drive is not mandatory. In situations where electronic devices containing law enforcement data are removed for destruction by a registered disposal company, the Public Records Act 1973 requirement to obtain a Certificate of Destruction does not always occur. This seems in part to be due to the associated cost and in part due to a lack of awareness of the requirement. 5

6 High Level Compliance Review There is also a lack of general awareness of the requirements of the CLEDS Standard 22 among Victoria Police employees in many Departments and areas. Reduced awareness of the requirements will result in poor compliance. There is a need for a more focussed and active approach to ensuring all Victoria Police employees are well aware of their responsibilities regarding information disposal from electronic data storage devices. The Victoria Police projects underway in the Business Management Department and BITS and work being undertaken by the Agency Security Advisor, are examples of new policy and guidelines that individually promise to provide up-to-date and accurate information. However, care should be taken to ensure these developments do not further disperse information and instructions about data security, including disposal and destruction. The opportunity exists to provide consistent and consolidated information to Victoria Police members, through the use of a more cooperative and force-wide approach to the development of these documents. Victoria Police should work towards achieving such a goal. As a result of the review of policy and procedures and observations based on discussions with Victoria Police staff, an overall compliance rating of Partially Compliant with CLEDS Standard 22 is considered appropriate at this time. Recommendations The following recommendations are made to assist Victoria Police in addressing matters raised in this high level review Victoria Police employees should be able to obtain information and guidance from a single document on the disposal of law enforcement data from electronic data storage devices. To achieve this Victoria Police should strengthen working partnerships and linkages between relevant Victoria Police Departments, such as BITS and the Records Services Branch. The Quick Reference Guide on Security Awareness currently being developed by the Victoria Police Agency Security Advisor should provide clear instructions relating to the disposal of data when it is not longer required, as part of a broader policy and suite of documents on information security awareness. That Victoria Police develops and implements a force-wide mandatory policy for the use of encrypted USB flash drives and instructions relating to the allocation of the drives, monitoring their use, and the need for sanitisation of the flash drives when they are returned for allocation to another user. Regions or Departments should ensure that encryption software is installed on all flash drives. 4. That VPM Instruction Records Management and Disposal be updated to include a reference and link to the Records Disposal Guide That a process be developed, as part of the Corporate Information and Records Management Strategy, to enable the monitoring of compliance with the requirement for Departments to submit an Application to Destroy Records form when disposing of data from electronic data storage devices. Victoria Police should communicate the policies and procedures regarding the disposal of law enforcement data to all employees. 6

7 Electronic Data Storage Devices 7. All Victoria Police departments and stations should allocate the role of disposal coordinator to a staff member, who becomes responsible for performing spot checks to ensure that law enforcement data, including from electronic media, is disposed of in accordance with policy. 8. Certificates of Destruction should be requested from data disposal companies in all instances where destruction has not been observed or supervised by Victoria Police employees. Checking that this has occurred should be specifically allocated to an appropriate employee. 9. Appropriate reference to the CLEDS electronic data storage devices standard should be included in all Agreements with Approved Third Parties that are authorised to access Victoria Police law enforcement data. David Watts Commissioner for Law Enforcement Data Security November

8 High Level Compliance Review 1 Introduction 1.1 Background The Standards for Law Enforcement Data Security were established in February and August 2007 by the Commissioner for Law Enforcement Data Security (CLEDS). The Standards and associated protocols are binding on Victoria Police. Under the Commissioner for Law Enforcement Data Security Act 2005, the Commissioner is required to undertake monitoring activities, including audits, to monitor compliance by Victoria Police with standards and protocols established under the Act. The Commissioner has established an annual program of high level compliance reviews as well as detailed risk based audits. The objective of a high level review is to identify whether documented policies and monitoring frameworks have been implemented by Victoria Police to meet the Standards and Protocols. Electronic Data Storage Devices is one of fifteen categories of standards and protocols issued by CLEDS. 1.2 Purpose and Scope The scope of this compliance review is confined to examining the existence and operation of Victoria Police Electronic Data Storage Devices policy and processes in compliance with the requirements of the CLEDS Standard CLEDS Electronic Data Storage Devices Standard CLEDS Standard 22 on electronic data storage devices is: 1.4 Approach Victoria Police must ensure the effective removal of law enforcement data from electronic data storage devices when the data is no longer required. If effective removal cannot be ensured, the storage device must be destroyed. Victoria Police must ensure that Agreements with Approved Third Parties establish requirements for effective removal of data or destruction of electronic data storage devices that have been used to store law enforcement data. The high level compliance review involved discussions with key stakeholders, analysis of policy and procedures for compliance with the requirements of the CLEDS Electronic Data Storage Devices Standard, and verification of compliance monitoring. Agreements with Approved Third Parties for authorised access to Victoria Police law enforcement data were also reviewed for compliance with Standard 22 on policy and procedures relevant to this Standard. 8

9 Electronic Data Storage Devices 1.5 Definitions and Abbreviations The following definitions and abbreviations are used throughout this report. Business Information Technology Services (BITS) Commissioner for Law Enforcement Data Security (CLEDS) Business Management Department (BMD) Corporate Management Review Division (CMRD) Law Enforcement Data (LED): Is any information obtained, received or held by Victoria Police: a. b. c. d. for the purpose of one or more of its, or any other law enforcement agency s, law enforcement functions or activities; or for the enforcement of laws relating to the confiscation of the proceeds of crime; or in connection with the conduct of proceedings commenced, or about to be commenced, in any court or tribunal; or for the purposes of its community policing functions. Such information includes text, images, audio and video held on computing devices or in hard copy format or other storage media, including but not limited to, data relating to individuals or aggregated data, written reports and correspondence, memoranda, police diaries, official notebooks, running sheets and other data repositories. Electronic Data Storage Devices: Electronic data storage devices hold law enforcement data in digital or analogue form. Examples of devices that may hold law enforcement data in digital format are hard drives, USB flash drives, floppy disks, CDs and DVDs. Examples of analogue devices that may hold law enforcement data are magnetic tape devices such as audio and video cassettes. Disposal: Disposal is defined in the Standards for Victoria police law enforcement data security as the destruction of information, followed by moving the destroyed information off premises, typically to a waste disposal facility such as a recycling plant, tip, or garden 1. Public Record: Public Record as defined in the Victoria Police Manual (VPM) is any record made or received by employees, during the course of their normal business, regardless of format, as defined in the Public Records Act Official Information: Information developed, received or collected by or on behalf of Victoria Police is official information Victoria Police Manual Document Security. 1 Standards for Victoria Police law enforcement data security, July 2007, p

10 High Level Compliance Review Standard: Mandatory general principles for initiating, implementing, maintaining, and/or improving the security of law enforcement data for Victoria Police to ensure adequate information security management. 1.6 Compliance Assessment Rating The assessment of law enforcement data security compliance, in terms of electronic data storage devices policy and processes, will be rated as one of the following: Compliant Partially Compliant Non Compliant Existing security controls meet the requirements and intent of the standards and protocols Existing security controls partially or inconsistently meet the requirements and intent of the standards and protocols Existing security controls are consistently inadequate in meeting the requirements and intent of the standards and protocols. Recommendations will be made where less than full compliance is identified. 10

11 Electronic Data Storage Devices 2 Electronic Data Storage Devices 2.1 Legislation, Policy and Process on disposal of data from electronic data storage devices The overarching legislation relating to the management of Victoria Police data, including disposal, is the Public Records Act 1973 and the accompanying Public Records Act 1973 (Section 12) Public Record Office Standard (PROS) 97/003 Destruction of Public Records (Feb 1998). The Public Records Act 1973 (Section 12) Public Record Office Standard (PROS) 97/003 Destruction of Public Records (Feb 1998), establishes the required standards relating to the disposal of public records and official information as it relates to paper based records as well as those held on electronic devices. A summary of these standards is provided at Appendix B. The major Victoria Police policy documents describing the requirements and procedures for the disposal of Victoria Police law enforcement data are the Victoria Police Manual and the Enterprise Information Security Policy (EISP) version 1.1. Both of these documents refer in turn to relevant sections of the Defence Signals Directorate Australian Government Information and Communications Technology Security Manual (ACSI 33) and the Australian Government Protective Security Manual, (PSM) Other Victoria Police policy and procedural documents have been developed that aim to provide greater detail or instructions related to specific areas of interest include: The Document Security Best Practice Guidelines Business Information and Technology Services, 2007 Information Security Unit, BITS Records Disposal Guide, Business Records Branch, Business Management Department Procedures for Requesting Destruction of Records, Records Services Branch, Business Management Department Retention Periods for Records, Records Services Branch, Business Management Department General Retention and Disposal Authority for Records of Victoria Police Public Records Office Victoria (PROV) with Records Services Branch Technology Refresh 2007 Destroy SE disk sanitisation Instructions for IBM (BITS 2007) Technology Refresh 2007 Destroy SE disk sanitisation Instructions for VicPol Staff (BITS 2007). 11

12 High Level Compliance Review 2.2 Roles and Responsibilities Business Information and Technology Services (BITS) has the lead responsibility within Victoria Police for ensuring the effective disposal of law enforcement data from electronic data storage devices. The BITS Information Technology Infrastructure Security Unit has a major role in the development of technical architecture and standards in relation to the disposal of law enforcement data from electronic data storage devices. The BITS Information Security Unit has a key role in the development and implementation of information security awareness training. They provide advice to the Victoria Police Education Department in the case of training of Sworn members and develop information security awareness training programs, and resources such as information security awareness posters and leaflets that are posted on the BITS intranet. The Business Management Department s Records Services Branch also plays a major role in the management, storage and disposal of Victoria Police records and official documents. While other areas of Victoria Police were included in this high level compliance review, a major focus was directed to these two areas. 12

13 Electronic Data Storage Devices 3 Review Findings/Observations The examination and review of Victoria Police policy and processes regarding the effective removal of law enforcement data from electronic data storage devices when the data is no longer required has disclosed the following: 3.1 Documentation of Disposal Requirements Requirements and processes for the disposal of law enforcement data (from all media) including from electronic data storage devices as set in the Public Records Act 1973 and the Public Records Act 1973 (Section 12) Public Record Office Standard (PROS) 97/003 Destruction of Public Records (Feb 1998), are documented in varying levels of detail and completeness in a number of Victoria Police policy and procedural documents. While some Victoria Police departments may document those requirements relevant to their particular area or data storage modality, there is a need for a single consistent document that covers, in detail, all the requirements for the disposal of law enforcement data, including those relevant to data held on electronic data storage devices The Victoria Police Manual (VPM) The Victoria Police Manual (VPM) is the first point of reference for Victoria Police members regarding the requirements surrounding the conduct of their duties. VPM Instruction Records Management and Disposal states that the responsibility for ensuring that a regular program of records disposal is in place lies with each workplace manager. The Instruction briefly reiterates the standards set in the Public Records Act 1973 (Section 12) Public Record Office Standard (PROS) 97/003 Destruction of Public Records (Feb 1998) and provides references and links to several related documents. It does not provide a sufficient level of detail regarding these requirements, nor does it refer to or provide a link to the Records Disposal Guide developed by the Records Services Branch, which contains more detailed and practical guidance for the disposal of law enforcement data. This latter document is not mentioned at all in the VPM. Other relevant Instructions in the VPM include: Instruction Tape recorded interviews, which briefly outlines how tapes such as Tape Recording in Indictable Matters (TRIM) tapes, are to be disposed of according to whether they are Master tapes, Second Original tapes or Copies of tapes. The method of destruction for each of these tapes is described as according to local instruction. VPM Video and audio-taped evidence (VATE), which states that under Regulation 12, Evidence (Recorded Evidence) Regulations the original recording and all copies made in or in connection with a legal proceeding are to be destroyed or erased after a certain period. It also describes circumstances in which VATE statements may be kept for longer periods or indefinitely, for example where charges have not been laid and where briefs are of historical significance. The Business Records Section Records Disposal Unit (RDU) is named as having responsibility for the destruction of VATE statements after a completed Destruction/Retention of VATE Statement form has been forwarded from the relevant Sexual Offences and Child Abuse Unit (SOCAU) Manager. Master copies of VATE tapes are required to be forwarded to the RDU for storage within 10 days of the recording being conducted. If the statements are held on CD or DVD the Master should be stored at the SOCA unit. 13

14 High Level Compliance Review The Victoria Police Video and Audio-taped Evidence (VATE) Procedural Guidelines updated by SOCAU in 2006, provide in greater detail the process regarding VATE recordings including that all VATE recordings are to be destroyed within 6 months after the conclusion of the proceeding or at the expiry of any appeal period as per the Evidence (Recorded Evidence) regulations Section 13. Situations where the tapes may need to be kept for longer periods are described as in the VPM. These Guidelines reiterate that all VATE statements are to be destroyed by the Records Disposal Unit. Working copies of all VATE recordings are to be forwarded to the RDU with a Destruction/ Retention of VATE Statement form completed by the Officer in Charge of the SOCA Unit, which nominates the desired action in relation to the tape. A notation of the requested action is to be entered on to the computerised VATE register and relevant Case Entry. Master copies of CDs or DVDs containing VATE interviews must be secured in a locked storage cabinet in the SOCA Unit, until such time that they are no longer required. The VATE Register is to be updated as the tapes or CD/DVDs are processed and released to the contracted disposal company for destruction. This process was observed by the reviewer at the Laverton Storage and Disposal Facility The Records Disposal Guide The Records Disposal Guide (Business Records Section, Record Services Branch, 2004) states that each Victoria Police member is accountable for the retention and management of records of continuing value to ensure the business, accountability and cultural needs of Victoria Police are met. The document provides quite detailed information regarding records disposal including that: records should be disposed of as soon as they are no longer required for business purposes; Business Records Services is responsible for the Force s Records Disposal Program which comprises a range of activities including: appraisal of records; development of disposal authorities; documentation of the appraised process and the disposal program; implementation of the disposal decision; there needs to be written authorisation from the Public Records Office Victoria (PROV), as required under the Public Records Act 1973 to dispose of public records; disposal authorities set out the appropriate action for disposal of various types of records; and records disposal should be undertaken on a regular basis (eg monthly/annually) rather than ad hoc. The steps involved in using and applying the Records Retention and Disposal Authorities are described in some detail, with a reminder that Business Records or the Records Disposal Unit should always be consulted to authorise the destruction of records, through the submission of a Request for Records Destruction form. 14

15 Electronic Data Storage Devices The Guide further advises Victoria Police employees that if they require any advice on the disposal process they should contact the Manager Business Records or Supervisor Records Services Division and Archives. Specific instruction on the destruction of electronic records includes that electronic records are subject to the same disposal processes as paper records, and that: staff should take special precautions to ensure that electronic storage media containing confidential material or information that may infringe upon personal privacy is electronically wiped clean or physically destroyed; deleting records in some programs does not actually remove the information, and computer hard disk drives should be reformatted before the computers are disposed of, and other magnetic media can also be reformatted; records stored on magnetic media can be bulk erased by subjecting them to a strong magnetic field. The media can then be reused. Records held on optical media and particularly sensitive records held on magnetic media, can be destroyed by cutting, crushing, or other physical means of destruction. Other relevant documents developed by the Business Records Branch include: Procedures for Requesting Destruction of Records; and Retention Periods for Records. It should be noted that the only electronic data from other areas of Victoria Police for which Business Records Services currently has disposal responsibility, are VATE tapes forwarded to them from SOCA Units across the Force. This is conducted via the Records Management Storage and Disposal facility located at Laverton. Other areas are required to arrange and manage their own disposal and destruction of law enforcement data, while adhering to the requirements of the Public Records Act, 1973 and seeking advice from the RDU as required. The RDU does not therefore have a role in ensuring that other areas are complying with the requirements for data disposal from electronic storage devices. While the guides developed by the Business Records Branch would together appear to provide Victoria Police Departments and employees with quite detailed instructions about the disposal of information, a number of gaps and weaknesses have been identified not only by this review but through a CLEDS review of an information security breach which occurred in late 2007 and a Victoria Attorney General s Office (VAGO) records management audit conducted in 2007/08. These issues are discussed in Section 3.2 below. Records Services Department staff also submitted that the role they play in authorising disposal via receipt of Requests for Disposal from Victoria Police areas, appears to work well in relation to hard-copy documents but not for electronic documents or data The Document Security Best Practice Guideline While the VPM does not refer to the Records Disposal Guide, it does make reference and provide an electronic link to the Victoria Police Document Security Best Practice Guideline The document contains procedures primarily based on those in the Commonwealth Government s Protective Security Manual (PSM), with supplementary information from the Defence Signals Directorate s Australian Government Information and Communications Technology Security Manual (ACSI 33). 15

16 High Level Compliance Review The Document Security Best Practice Guide is a non-mandatory statement of best practice which aims to assist workplaces in the development of their local instructions and/or provide all Victoria Police employees with a set of recommended procedures. The scope of the document includes documents in all formats hard-copy; electronic; audio-visual and any other recording and storage formats used now or in the future. It is not intended to cover National Security classified information. While this document provides detailed and useful instructions regarding most aspects of document security the section on data disposal is brief and disappointing. It outlines a number of principles that reflect those already discussed above. Brief instructions are provided regarding the destruction of CD and DVD disks (shred, or scratch with scissors or break into pieces if a shredder is not available) and for the destruction of floppy disks (shred or cut into strips). The Security Procedures Tables at Part 4 of the document, which provide examples and details of information security requirements by document classifications, describe the full details of media destruction procedures as being out of scope and refers the reader to the Defence Signals Directorate, Information Security Group, Australian Government Information and Communications Technology Security Manual (ACSI 33) Enterprise Information Security Policy, 2004 The VPM describes the Enterprise Information Security Policy as the authoritative source of information security requirements in relation to electronic information systems and the use of electronic information (206-2 References). The document is described as one component of an effective information security strategy which also includes a range of Policies, Standards, Guidelines, Procedures, System Information Security Policies, System Security Plans and Security Training Plans. (EISP, p. 2-3). The instructions in the EISP relating to the disposal of data from electronic data storage devices, while more detailed than those provided in the VPM, are still quite high level in that they identify the need for sanitisation and disposal of various media and hardware items, but generally refer the reader to either the Commonwealth Protective Security Manual and/or relevant sections of ACSI 33 for instructions of the required sanitisation or disposal process, depending on the type and security classification of the data. At Section 18.6 the EISP lists a range of responsibilities of the System Sponsor for IT Infrastructure for the full range of IT storage media used across the Victoria Police technology infrastructure, including that the System Sponsor must: provide an effective sanitisation service; and/or document specific sanitisation procedures; and/or specify which storage media must not be reused; provide an effective disposal/destruction service from IT storage media in accordance with the provisions of ACSI 33, Part 3, Chapter 4 Security of Hardware (section 18.6). ensure that documented guidelines and procedures (Victoria Police Guidelines for the Sanitisation and Disposal of Equipment and Media) and any requisite software, are all available so that, where needed, VP personnel can sanitise and/or dispose of, VP computer hardware and/or storage media (including the hard disk drive of a desktop or laptop computer). These guidelines must reflect those published in ACSI33 and the PSM (21.7). 16

17 Electronic Data Storage Devices The EISP further requires that: all Victoria Police IT equipment must be declassified and/or disposed of in accordance with the Guidelines for the Sanitisation and Disposal of Equipment and Media.(21.18); and failed storage devices, that cannot be sanitised, must be retained by Victoria Police for controlled destruction in accordance with the Guidelines for the Sanitisation and Disposal of Equipment and Media (21.19). Discussions with the Manager, Information Technology Infrastructure Security in BITS revealed that while they are aware of these requirements in the EISP the required Guidelines for the Sanitisation and Disposal of Equipment and Media have not been developed. In the Victoria Police Action Plans for the Implementation of the CLEDS Standards for law enforcement data security, BITS has listed a number of controls they currently have in place as evidence of their intention to comply, including: a Defence Services Directorate (DSD) approved sanitisation tool Destroy SE (used for the TechRefresh project, described in below); a DSD approved degausser; CD/DVD shredders; and the destruction of LEAP mainframe tapes/disks in accordance with PSM and ACSI 33 requirements. They also note that guidelines for the sanitisation of MultiFunction Devices (MFDs) are to be developed by October These guidelines need to be extended to include sanitisation and disposal of all equipment and media, incorporating those already developed for the TechRefresh project. 3.2 Location Visits and Key Stakeholder Compliance Interviews The above description of policy and procedural documentation governing the disposal of law enforcement data from any media indicates a generally dispersed and uncoordinated approach across Victoria Police. This observation is supported by other findings and reported processes and gaps during interviews and visits with a small number of Victoria Police Units and Stations. While some areas make successful efforts to dispose of law enforcement data from electronic data storage devices this would for the most part appear to be due to the efforts of individual areas in pulling together the relevant standards and procedural instructions from various sources to develop and implement their own processes. Discussions with staff in the BITS IT Infrastructure Security Unit and the Records Services Division, the two areas of Victoria Police with a lead role in this area, confirmed this observation with staff in both areas stating that they do not as a general rule work together in the development of their separate protocols and procedures relating to disposal of law enforcement data or information security generally. BITS IT Infrastructure Security staff also stressed that while they are able to provide advice on request on issues of information security, they do not have a compliance role. They understand that this role lies with individual Victoria Police areas. They also stated that the currently unstaffed Information Security Unit in BITS is likely to have a major role in this area. 17

18 High Level Compliance Review The following is a discussion of the findings of the review based on each of the electronic data storage device types included in this review: Victoria Police Computer Hard Drives The sanitisation of Victoria Police personal computer hard drives, prior to the return of the PCs to the lessor for reuse, is a good example of a successful force-wide activity where law enforcement data is removed from electronic data storage devices when it is no longer required. A DSD-approved three pass sanitisation product (Destroy SE) is used for this process, which is undertaken by IBM employees under the supervision of authorised Victoria Police employees, specially selected and trained for purpose. The successful sanitisation of each PC hard drive is certified by both the IBM employee and the Victoria Police authorised staff member, by the completion and signing of a Check Sheet for Hard Drive Sanitisation Destroy SE. The certification sheets are retained by the Victoria Police area where the PCs were in use. It is noted that at one area visited by the reviewer, the Officer in Charge was not able to locate these certificates and believed that they were held by BITS. Detailed written instructions have been developed describing the process and responsibilities for IBM contractor staff and for Victoria Police authorised staff for the sanitisation of IT hardware prior to returning it to the lessor. These are provided to IBM and to the Victoria Police employees as part of their training USB Flash Drives The findings regarding the use of USB flash drives and their sanitisation when returned from the user demonstrates a much less coordinated approach. While Business Information Technology Services lists USB flash drives for purchase in their IT Catalogue, which have an encryption program installed, the procurement and use of these particular flash drives is not mandated, nor does BITS have a policy requiring Victoria Police to only use flash drives that have an encryption program on them. Regarding the disposal of information from USB flash drives, BITS indicated at interview that if flash drives with an encryption program were used, there would be no need to sanitise them, as the data would be unavailable to would-be or new users. The procedures and requirements for the use of USB flash drives vary across Victoria Police. The Crime Department has very strict controls on their use. Crime Department Instruction 21 (CDI 21) Security of Information on Portable Storage Devices, published on the Crime Department Intranet, includes instruction for the allocation, use, return and sanitisation of USB flash drives. Only BITS supplied SanDisk Cruzer Micro USB sticks which come with encryption software, are allowed to be used. The Crime Department IT Coordinator has responsibility for all processes surrounding the allocation and use of the flash drives, including the maintenance of a register of who has the devices and ensuring the sanitisation/removal of data from the drive should a member or employee leave the Crime Department. The Specialist Support Department also supplies the BITS-approved flash drives to staff. While staff are discouraged from using their own personal flash drives there is no compliance checking to ensure that this does not occur and no protocol governing the removal of data from these flash drives. In one of the Victoria Polices regions all employees were recently provided with a USB flash drive as part of a health and well-being promotion program, with a link on the flash drive to the Region s health and well-being website. While the devices were supplied with a small card 18

19 Electronic Data Storage Devices providing information about the need and respect for information confidentiality, they were not provided with encryption software. Encryption software is readily available for purchase and it is recommended that this region ensures that the flash drives are encryption-enabled. It was noted during discussions with Departments during this high level review that standard policy and procedures relating to the use of USB flash drives needs to be developed, implemented and enforced at an enterprise force-wide level. This was reinforced late in the process of conducting this review when an employee of a large Victoria Police Department that had not been included in the location visits, contacted the reviewer to find out where the policies and guidelines for the secure use of USB flash drives could be found. The issue of encryption will be examined in greater detail in an upcoming CLEDS high level audit of Standards 23 and 24 Cryptographic Controls CDs and DVDs Victoria Police Departments and Police Stations appear to be generally aware of the need to securely dispose of CDs and DVDs containing law enforcement data when they were no longer required. Again, the implementation of procedures governing disposal, and compliance checking is not coordinated across Victoria Police and was therefore varied. Disposal was generally undertaken by placing the CDs or DVDs in secure bins provided and collected by contractors. Some areas provided the bins only once a year, others provided them on an ongoing basis. Some areas, including Crime Department, the Specialist Support Department and BITS, provided cross-cutting shredding machines suitable for the destruction of this type of media. Some provided detailed information to staff about the use of the bins, including rules governing their placement and removal and/or basic instructions for the local destruction of CDs/DVDs by methods such as scratching or cutting into strips, where shredders were not available. It was found that Certificates of Destruction were in most instances not requested from the contractors hired to remove and destroy the media, as required. One area where a number of bins were available on an ongoing basis indicated that this was because of the cost of provision of the Certificates ($25 per bin per certificate), or an estimated cost of $9,000 per year. Others simply appeared not to know or understand that the certificates were required. Given that there has been an information security breach in the last twelve months where law enforcement data, albeit in paper-based documents, ended up in a public location following removal by a contractor, it is vital that Certificates of Destruction are obtained for all removals and that a force-wide process for checking compliance with this requirement is established. Victoria Police needs to investigate the most cost-effective procedure for meeting this requirement. It should be noted that as a result of this information security incident the Records Services Branch Procedures for Requesting Destruction of Records document has been revised to provide clearer details and specifically to include the requirement for a Certificate of Destruction to be obtained from the external contractor/destruction company if the destruction of the data is not directly supervised by Victoria Police staff. 19

20 High Level Compliance Review Video and Audio Tapes Another example of the relatively successful disposal of law enforcement data from electronic data storage devices is that of the disposal of Video and Audio-taped Evidence (VATE) tapes when the information held on them is no longer required. The process for storage and disposal of VATE tapes is briefly documented in the VPM as described above and in more detail in the Victoria Police Video and Audio-taped Evidence (VATE) Procedural Guidelines updated by SOCAU in The storage and disposal of the tapes is overseen by the Records Disposal Branch who receives the tapes from SOCA Units across Victoria Police. The tapes are forwarded to the Victoria Police Storage and Disposal Facility at Laverton, where they are processed according to whether they are master, master copies or working copies and stored or removed by a disposal company for destruction. Destruction and disposal is conducted offsite via shredding to the required tape width and then via deep burial. A computerised VATE register is maintained in all SOCA Units, which is used to record details of the interview and to monitor the movement and location of the VATE statement. Staff at the Laverton Storage and Disposal Facility also record receipt of the tape and details of its storage, destruction and disposal on a computerised register. The reviewer noted the Register of Disposal at the Laverton facility. There are issues surrounding the physical security of the Laverton Storage and Disposal Facility (refer CLEDS Review of Physical Security) and a problem with destroying the tapes within the required timeline due to a backlog of tapes requiring processing. However, the actual process of destruction is conducted within the prescribed standards, except that Certificates of Destruction are not requested from the contractors undertaking the destruction and disposal. It should be noted that since the conduct of the review of physical security Victoria Police has developed plans to renovate the Laverton site to ensure appropriate physical security measures are in place. As noted in above, the requirement to obtain Certificates of Destruction from disposal contractors has also been clearly specified in the Records Services Branch Procedures for Requesting Destruction of Records. Other tapes held on Victoria Police premises such as TRIM tapes are destroyed locally by cutting or with a hammer, or are placed in secure bins as for CDs and DVDs for removal and destruction Multi Function Devices The reviewer was informed that new multi-function devices (MFDs), devices that are able to conduct multiple functions such as printing, photocopying and scanning, have hard disk drives that are also required to be sanitised at end of lease. While the MFD manufacturers may have their own proprietary processes for removing data from the hard disk drives of their machines, BITS staff believe that it is possible that these processes may not meet the data security requirements of ACSI 33 and Defence Signals Directorate that underpin BITS current PC hard disk drive sanitisation procedures. To coincide with the end of the first lease, the BITS IT Infrastructure Security Unit has included the development of MFD sanitisation procedures by October 2008 as an action item in their Implementation Plan response to the CLEDS Standards for Victoria Police Law Enforcement Data Security. 20

21 Electronic Data Storage Devices 3.3 Approved Third Party Agreements An examination of formal Agreements with Approved Third Parties for reference to policy and process regarding this Standard revealed seven Agreements out of 17 ATPs (41%) are compliant with Standard 22. These include reference to the requirement to dispose of law enforcement data when it was no longer required and refer to the relevant State and/or Commonwealth legislation. The remaining organisations either: have agreements that are not compliant with Standard 22; or are non compliant because there is no Agreement in place. While the proportion of Agreements with ATPs that are compliant with Standard 22 is currently low, it is noted that a revised standard Agreement has been developed for negotiation with Approved Third Party organisations which incorporates clear reference to the requirements of all the CLEDS Standards and protocols, including the disposal of data from electronic data storage devices. 3.4 Other Issues Coordination of Effort It would seem from the above that processes for the disposal of law enforcement data from electronic data storage devices works best where there is a coordinated force-wide approach taken to the particular disposal modality and process. This requires there being a lead area that takes responsibility for the development of policies and processes in conjunction with other relevant areas of Victoria Police. This responsibility should also include a compliance role to ensure the correct processes have been properly followed. In discussions with the BITS IT Infrastructure Security Unit, it was clearly stated that this area of BITS has an advisory rather than a compliance role in relation to information security. It was suggested that the currently unstaffed BITS Information Security Unit would have a major role in this area. The Unit has been without staff for almost a year. In discussions with staff from the Business Management Department (BMD) Business Records Section it was noted that appropriate interaction and cooperation with BITS was lacking. BMD was aware that that there needed to be interaction between BRS and BITS regarding requirements for information disposal and information security generally but such interaction did not occur. The VAGO records management audit (see section above) identified the need for the development of an organisation-wide strategy for records management. While the details of the strategy were not fully developed or available at the time of this review, Business Records staff have indicated that the development would include the participation of relevant staff from BITS. A draft Strategy is expected to be completed by 31 October

22 High Level Compliance Review Awareness of policy and procedures Further issues of concern to the reviewer were the extent to which information about relevant policy and required procedures for electronic data storage device contents disposal is accessible for Victoria Police employees and whether education and training efforts were sufficient to ensure employees are given the best possible opportunity to be familiar with the required standards and procedures. Lack of easy access to clear policy direction was evident from the observation that the policies and instructions relating to data disposal are contained in varying degrees of detail in a number of standards, policy and procedural documents. Also, documents containing significant information such as the Records Disposal Guide, are not referred to in the VPM. The lack of central leadership and coordination places the onus on local stations or areas of Victoria Police to locate and bring these documents together and develop local procedural documents. This was done well in some areas and not at all in others. This approach is inherently inefficient and results in duplication of effort without quality assurance. The information security awareness posters and brochures posted on the BITS intranet and the online and DVD-based information security awareness training developed by BITS includes information about data disposal. The recent CLEDS review of Education and Training on law enforcement data security in Victoria Police found however that the rate of access to this information is low among Victoria Police employees. The reviewer is aware that the Victoria Police Agency Security Advisor is currently preparing a Quick Reference Guide on Security Awareness, which may be of assistance. 22

23 Electronic Data Storage Devices 4 Conclusions and Recommendations 4.1 Conclusions Victoria Police has established or is planning to develop a number of processes that demonstrate that they are working towards achieving full compliance with this Standard. These include processes such as: ensuring the sanitisation of Victoria Police personal computer (PC) hard drives prior to the return of the PCs to the lessor for reuse; and the guidelines and processes developed to ensure the effective disposal of VATE statements when they are no longer required. Victoria Police is planning the extension of the media sanitisation processes to enable sanitisation of the hard drives of Multi Function Devices and the development of a Corporate Information and Records Management Strategy. Victoria Police has also recently developed a revised standard Agreement for negotiation with Approved Third Party organisations (ATPs) which incorporates clear reference to the requirements of all the CLEDS Standards and protocols, including the disposal of data from electronic data storage devices. This will ensure that Victoria Police fully complies with this Standard as it relates to ATPs, as opposed to the 41% compliance rating found during this high-level review. There are a number of improvements to be made before Victoria Police can be judged to be fully compliant with Standard 22. These are discussed below. While there is information relating to the disposal of law enforcement data from electronic data storage devices available across Victoria Police, there is no single, consistent and up to date documentation. The lack of integrated documentation necessitates responsible staff at individual locations finding and pulling these instructions together into a single document for the use of their local staff. The approach to ensuring the encryption of data held on USB flash drives and processes developed to monitor compliance with this requirement is varied and uncoordinated across Victoria Police. Business Information Technology Services (BITS) lists an approved USB device in their catalogue which comes with encryption software. The use of this flash drive is not mandatory. In situations where electronic devices containing law enforcement data are removed for destruction by a registered disposal company, the Public Records Act 1973 requirement to obtain a Certificate of Destruction does not always occur. This seems in part to be due to the associated cost and in part due to a lack of awareness of the requirement. There is also a lack of general awareness of the requirements of the CLEDS Standard 22 among Victoria Police employees in many Departments and areas. Reduced awareness of the requirements will result in poor compliance. There is a need for a more focussed and active approach to ensuring all Victoria Police employees are well aware of their responsibilities regarding information disposal from electronic data storage devices. 23