APPENDIX 9

Removable Media Policy

Removable Media - Acceptable use policy

PART ONE: PURPOSE & SCOPE, RESPONSIBILITIES REFERENCES, AND REVISION

1
2 Policy Statement

The Council and Trust will issue best practice guidance on when it is and is not
appropriate to use removable media and how such media should be used.

The Council and Trust will ensure that all users with a requirement to regularly use
removable media are issued with devices and or software to facilitate the secure
storage, transportation and access to data held on removable media

The Council and Trust will provide channels for devices that are not owned or issued
by the Council to connect to Council or trust computers in a way that mitigates any
associated risk.

The Council and Trust promote awareness of this policy among their user
communities

3 Purpose
To ensure compliance with legal statute and other mandatory controls

To define user responsibilities in safeguarding Council and Trust equipment,

information systems and the data that resides in them.

To ensure that these valuable assets are protected from loss, from theft and from
misuse by anyone with an illicit requirement to access Council or Trust information
and systems

4 Scope
This document applies to all Councillors, Committees, Departments, Partners,
Employees of the Council, Employees of local Trusts providing services on behalf of
LBC, contractual third parties and agents of the Council and Trusts who use Luton
Borough Council provided IT facilities and equipment, or have access to, or custody
of, Council or Trust customer information.

All users must understand and adopt this policy and are responsible for ensuring
the safety and security of the Council’s systems and the information that they use or
manipulate.

All users have a role to play and a contribution to make to the safe and secure use
of technology and the information that it holds.

5 Definition

Removable media devices include, but are not restricted to the following
• CDs, DVDs, floppy and optical Disks.
• External Hard Drives.
• USB Memory Sticks (also known as pen drives or flash drives).
• Media Card Readers.

FINAL COPY – v2.0 Page 1 of 9

 APPENDIX 9
Removable Media Policy
• Embedded Microchips and storage cards (including those on mobile phones and PDAs).
• MP3 and other music/media players.
• Digital Cameras.
• Backup Cassettes.
• Audio Tapes (including Dictaphones and Answering Machines).

6 Risks

This policy aims to mitigate the following risks:

• Disclosure of PROTECT and RESTRICTED information as a consequence of loss, theft or

careless use of removable media devices.
• Contamination of Council networks or equipment through the introduction of viruses through
the transfer of data from one form of IT equipment to another.
• Potential sanctions against the Council or individuals imposed by the Information
Commissioner’s Office as a result of information loss or misuse.
• Potential legal action against the Council or individuals as a result of information loss or
misuse.
• Council reputational damage as a result of information loss or misuse.

Non-compliance with this policy could have a significant effect on the efficient operation of the
Council and may result in financial loss and an inability to provide necessary services to our
customers.

PART TWO: POLICY

7 Key Messages

• It is Council and Trust policy to prohibit the use of all removable media devices, except
where there is a clear business case for use and this business case has been approved by
the Corporate Strategy Manager.
• Removable media device that has not been purchased through IM procurement must not
be used.
• Where data must be imported from a 3rd party removable media device, the 3rd party
removable media handling procedure must be followed
• All removable media must be virus scanned prior to use
• All PROTECT or RESTRICTED data stored on removable media devices must be
encrypted in compliance with Co-Co minimum standards.
• CONFIDENTIAL information may not be stored on removable media except where agreed
with the SIRO and where other mitigating controls exist
• Damaged or faulty removable media devices must not be used and any fault reported
• Special care must be taken to physically protect the removable media device and stored
data from loss, theft or damage. .
• Removable media devices that are no longer required, or have become damaged, must be
disposed of securely to avoid data leakage.
• Line Managers must retrieve removable media devices from leavers etc.

8 Applying the Policy

8.1 Restricted Access to Removable Media

It is Council and Trust policy to prohibit the use of all removable media devices. The use of
removable media devices will only be approved if a valid business case for its use is developed.

FINAL COPY – v2.0 Page 2 of 9

 APPENDIX 9
Removable Media Policy
There are large risks associated with the use of removable media, and therefore clear business
benefits that outweigh the risks must be demonstrated before approval is given.

Requests for access to, and use of, removable media devices must incorporate a business case
outlining why removable media is essential and why other channels for remote or mobile working
are not suitable. Approval for their use must be given by the Council’s Corporate Strategy Manager
or their deputy.

Should access to, and use of, removable media devices be approved the following sections apply
and must be adhered to at all times.

8.2 Procurement of Removable Media

Removable media devices and associated equipment and software that is provided for Council or
Trust users must be purchased and installed by Information Management (se also the Council and
Trust’ Software policy).

Non-council owned removable media devices must not be used to store any information used to
conduct official Council business, and must not be used with any Council owned or leased IT
equipment

8.3 Importing Data from 3rd Party Removable Media

Where a 3rd party provides data to the Council or Trust using their own removable media, then the
data may be accessed only as described in the 3rd party removable media handling procedure

8.4 Security of Data and Media

Where data is copied from the Council’s private network to removable media, the original must
remain on the source system or networked computer at least until the successful transfer of the
data to another networked (and backed up) computer or system is confirmed.

When data on removable media is amended or added to, this data must be copied to the Council’s
private network (where it can be backed up) at the earliest practical opportunity.

When removed form Council or Trust premises, removable media must be protected from theft or
loss as described in the Remote and Mobile Working Acceptable Use Policy

PROTECT or RESTRICTED data may only be accessed as described in the Information

Classification and Handling Policy and where applicable the Remote and Mobile Working
Acceptable Use Policy.

CONFIDENTIAL data may not be stored on removable media except where authorised by the
SIRO and where additional mitigating controls exist.

Each user is responsible for the appropriate use and security of data and for not allowing
removable media devices, and the information stored on these devices, to be compromised in any
way whist in their care or under their control.

Where PROTECT or RESTRICTED data is held the encryption must comply with mandatory
minimum standards as described in the Government Connect Code of Connection (Co-Co). Where
a user is unsure as to whether their removable media complies with these standards they should
raise a query to the IM service desk ‘6666’ or with their local IT Representative. It should be noted
that no USB memory sticks issued by the Council or Trust prior to 2009 are compliant with Co-Co

FINAL COPY – v2.0 Page 3 of 9

 APPENDIX 9
Removable Media Policy

Users should be aware that the Council may audit / log the transfer of data files to and from all
removable media devices and Council or Trust owned IT equipment.

8.5 Incident Management

It is the duty of all users to immediately report suspicious activities and actual or suspected
breaches of information security as described in the Information Security Incident Management
Policy and associated procedure.

Any misuse or irresponsible actions that might affect business data, or result in any loss of data,
should be reported as described in the Information Security Incident Management Policy and
associated procedure.

8.6 Third Party Access to Council Information

No third party may receive data or extract information from the Council’s private network except
where this process is compliant with the Council’s Information Classification and Handling Policy
and relevant authorisations and mitigating controls are in existence.

8.7 Damaged or faulty devices

Damaged or faulty removable media devices must not be used. It is the duty of all users to contact
the IM service desk ‘6666’ should a device malfunction. The device must not be used pending
repair of any fault. Where a device is damaged beyond repair the device must be securely disposed
of (see section ‘Disposing of removable media devices’).
.
8.8 Virus scanning

All removable media must be virus scanned prior to any data resident being connected to a Council
or Trust computer or prior to being copied to the Council’s private network. Scanning must follow
the ‘Virus scanning process for removable media’ held on the Council’s Intranet.

8.9 Disposing of Removable Media Devices

Removable media devices that are no longer required or which are obsolete must be surrendered
by users to their Line Manager in the first instance. If the device cannot be usefully re-assigned
within the Department or Service it must be passed to Information Management for secure wiping
and environmentally friendly destruction. Under no circumstances should an obsolete device be
given away or disposed via any channel other than through Information Management

8.10 Retrieval of Removable Media Devices from leavers

It is the responsibility of the Line Manager to ensure that users who leave Council or Trust
employment or who terminate their contact or engagement with the Council return all Council or
Trust equipment as defined within HR Information Security Standards policy. This includes the
return of removable media

8.11 User Responsibility

FINAL COPY – v2.0 Page 4 of 9

 APPENDIX 9
Removable Media Policy
All considerations of this policy must be adhered to at all times when using all types of removable
media devices

Non-council owned removable media devices must not be used to store any information used to
conduct official Council business, and must not be used with any Council owned or leased IT
equipment

Non Council removable media may only be accessed as described in the section ‘Importing Data
from 3rd Party Removable Media’.

All PROTECT and RESTRICTED data stored on removable media devices must be encrypted
using software or devices that comply with mandatory minimum standards as described in the
Government Connect Code of Connection (Co-Co).

All removable media must be virus scanned as described in the section ‘Virus scanning’

Only data that is both authorised and necessary should be saved on to the removable media
device. Users must note that files and data that have been deleted can still be retrieved

Removable media devices must not to be used for archiving or storing records as an alternative to
other storage equipment

Special care must be taken to physically protect the removable media device as described in the
section ‘Security of Data and Media’.

PART THREE: PROCEDURES

3rd party removable media handling procedure

Request to use Explore Use alternative

removable alternatives channel

Media sent Sheep dip

without notice device

Copy data to
network

Confirm copy
successful

Securely erase
device

Return / Store /
Destroy device

FINAL COPY – v2.0 Page 5 of 9

 APPENDIX 9
Removable Media Policy

Risks associated with removable media

Use of removable media for data transfer should always be a solution of last resort, due to
the increased risks to the data and to the Council network that arise from this channel. A
summary of these risks is provided in the ‘Removable media Policy’.

No removable media device may connect to a Council or Trust computer unless there is a
clear business reason for the connection.

Request from 3rd party to provide data on removable media

Where a 3rd party wishes to provide data via removable media, alternatives channels for
receipt of the data must be explored. This exploration and the solution chosen must take
into account the sensitivity of the data and any rules imposed by the Council and Trust
‘Information Classification and Handling Policy’.

No alternative channel available

Where there is a clear business requirement to load the data, and no suitable alternative
channel can be agreed, data may be provided on removable media provided that this
media is suitable protected in transit and on receipt in compliance with the ‘Information
Classification and Handling Policy’.

Data may then be loaded as described in the steps ‘scanning removable media’ onwards.

Removable media already on site

Where media is already on site and there is a clear business requirement to load the data,
then the data may then be loaded as described in the steps ‘Scanning removable media’
onwards.

Scanning removable media (sheep dipping)

Any removable media device poses a significant risk to the Council. These risks are
documented within the removable media policy, but include an enhanced risk of virus
infection together with enhanced risks of data theft and loss.

A clear business reason must exist for the importation

No removable media may be connected to any computer that regularly accesses

RESTRICTED data or which accesses GCSx.

Data must be virus scanned on a computer that:

• has an up to date virus scanner
• Is not connected to the Council’s private network

This process of scanning media on a stand alone computer is known as ‘sheep dipping’ i.e.
we ‘dip’ the media with our anti-virus scanners before we allow them to join the rest of the
flock i.e. to talk to any other computer on the Council’s private network.

Where a virus is detected the device must be removed from the unconnected computer
and a call placed on the IM service desk ‘6666’

FINAL COPY – v2.0 Page 6 of 9

 APPENDIX 9
Removable Media Policy
The device may not be connected to any other computer. The computer which undertook
the scan may not be placed back onto the Council network until it is given a clean bill of
health by IM engineers

Import data from the removable media device

Where the data and device do not contain a virus, the data may be copied to the Council’s
private network for access by Council land Trust users.

Verify that data has been successfully copied

Users must verify that all relevant data has been successfully copied

Securely erase PROTECT, RESTRICTED or personal data

Once the data has been successfully copied any personal data or data that may be
classified as PROTECT or RESTRICT must be securely erased. Secure erasure can only
be carried out by Information Management or your local IT representative. If necessary you
should raise a call to the IM service desk ‘6666’ to facilitate secure erasure.

Secure erasure is not necessary where:

• Data concerned is Software AND the media must be securely stored for possible
future reuse
• The provider has issued an explicit instruction not to erase the data from the
removable media device; in which case the data must be stored or returned securely

Users are reminded that Software must only be purchased and installed via Information
Management as described in the ‘Software policy’.

Securely Store, return or destroy removable media

Where the data has been securely erased from the removable media, the removable media
device must be returned to the originator or destroyed in a secure, environmentally friendly
manner by Information Management. It must not be retained by the user or passed to
anyone else for personal use.

Otherwise
• Removable media devices containing software must be surrendered to Information
Management who will inventory them and place them into their secure, software
library.

• Any removable media containing personal data or data classified as PROTECT or

RESTRICTED must be stored securely e.g. in a locked cabinet or safe.

• Where removable media has not been securely erased and contains personal data
or data classified as PROTECT or RESTRICTED that must be returned to the
originator, this must be done in person.

PART FOUR: ENFORCEMENT, GOVERNANCE, DEFINITIONS AND REFERENCES

Policy enforcement
The interpretation and application of this policy in relation to any alleged non
compliance will be undertaken as follows:

FINAL COPY – v2.0 Page 7 of 9

 APPENDIX 9
Removable Media Policy
Alleged non –compliance by: Interpretation and
enforcement by:
Council employees Council HR and Head of Service
Trust employees Council/Trust HR and Trust
Chief Executive
Council members Council’s Monitoring Officer and
Head of Local Democracy
Contractors or partner Contract/relationship manager
organisations and contracting
organisation/partner
Staff Agencies Contract/relationship manager
and Council /Trust HR
Visitors or guests Relevant Department Director

Breaches of this policy will be subject to Council or Trust disciplinary policy and
procedures, contractual terms and conditions and civil and criminal law as
appropriate.

If you do not understand the implications of this policy or how it may apply to you,
please seek advice by submitting an e-mail enquiry to the IM service desk ‘6666’ in
the first instance.

9 Policy Governance
The following table identifies who within Luton Borough Council is Accountable,
Responsible, Informed or Consulted with regards to this policy. The following
definitions apply:

• Responsible – the person(s) responsible for developing and implementing the

policy.
• Accountable – the person who has ultimate accountability and authority for the
policy.
• Consulted – the person(s) or groups to be consulted prior to final policy
implementation or amendment.
• Informed – the person(s) or groups to be informed after policy implementation or
amendment.

Head of Information Management and Head of Human

Responsible
Resources

Accountable Council’s Senior Information Risk Officer (SIRO)

Information Steering group (ISG), Human Resources, legal

services, Communications, Departmental representatives,
Trust representatives, Employee Relations forum, Corporate
Consulted
Leadership Management team (CLMT), Unions, employee
representatives, Representatives of Council members and
special interest groups

Informed All Council employees, Trust employees, Council members,

temporary staff and contractors, suppliers and partner

FINAL COPY – v2.0 Page 8 of 9

 APPENDIX 9
Removable Media Policy
organisations.

10 Review and Revision

This policy, and all related appendices, will be reviewed as it is deemed appropriate,
but no less frequently than every 12 months.

Policy review will be undertaken by Heads of Information Management and Human

Resources or their delegates.

Further Definitions
Council - Within this policy, this definition applies only to Luton Borough Council

Trust - Within this policy, this definition applies Active Luton and Luton Cultural Services
Trust

Council Private Network - A network that is owned or controlled by Luton Borough Council,
which is primarily for the use of Council and Trust employees and which is only accessible
to members of the public or 3rd parties who have been enrolled as per the Council’s
‘Access Control Policy for Information Systems’.

PROTECT, RESTRICTED and CONFIDENTIAL Information – Cross Government data

classification standards relating to sensitive information; detailed descriptions of these
classifications can be found in Central Government criteria for protective marking (SPF) a
copy of which is held on the intranet Government Connect page. . Details of how this
PROTECT and RESTRICTED information must be handled can be found in the Council’s
Information classification and handling policy.

11 References

Legal and statute and mandatory requirements

• Data Protection Act 1998
• Government Connect Code of Connection (Co-Co)

Other guidelines and documents referenced by this policy

• Local Government Data Handling Guidelines
• ISO27001:2005 Security standard
• Central Government criteria for protective marking
• Home working policy
• Access Control Policy for Information Systems
• Acceptable use policy for e-mail service users
• Information classification and handling policy

FINAL COPY – v2.0 Page 9 of 9