COVER SHEET OF POLICY DOCUMENT
Code NumberPolicy Document Name Removable Media and Mobile Device Policy
Introduction Removable media and mobile devices are increasingly used to enable information access and transfer.
However removable media and mobile devices are also a high risk for the Service in terms of loss of information, lack of
Corporate access, duplicate work, and potential for attack on CFRS systems. This policy defines how the Service will use removable media and mobile devices while managing information security risks.
Knowledge of this policy will enable
employees to maintain CFRS security and avoid inadvertently breaching information security.
Owner Head of ICT
Last Review Created October 2012
Review Due Date Every 2 years
Version Control/Amend Schedule
4.1
Cross References ICT Acceptable Use policy Information Security policy
Contents Policy statement
Responsibilities Procedures
1. Encryption
2. Protection of media
3. Security of equipment – data 4. Loss of equipment – data 5. Destruction of information 6. Virus control
BODY OF POLICY DOCUMENT
Policy Document Name: Removable Media and Mobile Device Policy Policy Element
Policy statement
CFRS will use adopt appropriate security practices when using mobile devices and removable media, and will ensure that Service information and associated systems are adequately protected.
Removable media or mobile devices will only be used for information if this method of access or transfer is absolutely necessary, and only if there is an organisational requirement to do so that cannot be met by any other means.
Specific commitments
Mobile media and removable devices must not be used to store data on a permanent basis. All Service data must be stored on the Service network to allow Corporate access and ensure it is backed up automatically by ICT.
This policy will be applied to:
• All information stored on mobile devices, or transferred by, removable media.
• Removable media includes, but is not limited to: - USB sticks
- CDs, DVDs - Floppy disks
- Memory cards (including Compact Flash, Smart Media, Multi Media, Secure Digital Cards, etc)
- External hard drives
- Laptops, tablet PC’s and PDAs - CFRS issued mobile phones
All employees, contractors, temporary staff and employees of other
organisations who directly or indirectly support our ICT services who handle CFRS information will comply with these requirements.
Responsibilities
ICT
ICT will encrypt USB drives and portable devices that will be used for the
storage and transfer of CFRS data. Employees
Employees must only use removable media authorised and purchased through ICT.
IMPORTANT: Personally identifiable or confidential information must only be
copied to or stored on any removable media in line with the Information Security policy.
advice.
Refer to the Information Security Policy for details.
Failure to adhere to this policy which results in an information security breach may lead to appropriate disciplinary action being taken as defined in the Information Security Policy.
Procedure Element List of Procedures
1. Encryption
2. Protection of media
3. Security of equipment – data 4. Loss of equipment – data 5. Destruction of information 6. Virus control
1. Encryption of media
Laptops - All CFRS issued laptops will have full disk encryption installed as
standard before they’re issued to staff. If you are aware of any device that is not encrypted, please notify the ICT Service Desk as soon as possible.
USB / removable hard drives – Do not store personally identifiable or
confidential information on an unencrypted USB / removable hard drive. These devices should only be used for the transfer of information if they are encrypted and you have the permission of the data owner. They should not be used as a storage or back-up device.
2. Protection of media
You must not store or use removable media or mobile devices as back-up systems for any data. These devices are unreliable for this type of data storage and should only be used for the temporary transport of data. Please do not use this type of device for your primary source of data storage. If for any reason the device becomes corrupted, any data will be unrecoverable. Please contact the ICT Service Desk for advice on long term storage and backups.
3. Security of data
Sufficient care must be taken to ensure that the removable media is secured at all times and any faults with supplied equipment must be reported to the ICT Service Desk immediately. Failure to do so may result in a security breach. Equipment supplied to customers must be used in accordance with CFRS ICT policies.
4. Loss of data
prosecution under the Data Protection Act and may be subject to disciplinary action.
Report any loss of removable media or mobile device (even if encrypted) as soon as possible to the ICT Service Desk.
5. Destruction of information
Employees are responsible for ensuring that personally identifiable or confidential information is not left on removable media for periods longer than necessary. Information that is no longer required must be promptly deleted from mobile devices or removable media in order to comply with the Data Protection Act.
For further advice on the destruction of confidential information, please contact the Information Manager.
6. Virus control
Employees using removable media should be aware that the data contained on the device may carry a virus or malicious software (malware). When data is copied to a CFRS computer from any removable media, it must be scanned by the anti-virus software on the workstation or laptop.
Please contact the ICT Service Desk on the procedure for manual virus scanning.
All users must maintain virus and malware awareness. Users of laptops are responsible for ensuring their anti-virus updates are maintained on a regular basis by connecting to the network daily if possible.
When a laptop is connected to the CFRS network via a network cable, Wi-Fi or docking station, the anti-virus definitions will update automatically at noon. If you have any concerns or would like advice on keeping your machine up-to-date, please contact the ICT Service Desk.
Guidance Element
USB Devices & Memory Sticks
Frequently asked questions
I’ve received an unencrypted memory stick contain data I need to access, can I use the device?
I have been given an encrypted USB stick from a trusted source but my computer will not read the device?
Again, ICT are implementing software to only allow authorised devices. You should contact the ICT Service Desk who will be able to open the device for you and retrieve the data.
Does all mobile data need to be encrypted?