Documente Academic
Documente Profesional
Documente Cultură
The Council and Trust will issue best practice guidance on when it is and is not
appropriate to use removable media and how such media should be used.
The Council and Trust will ensure that all users with a requirement to regularly use
removable media are issued with devices and or software to facilitate the secure
storage, transportation and access to data held on removable media
The Council and Trust will provide channels for devices that are not owned or issued
by the Council to connect to Council or trust computers in a way that mitigates any
associated risk.
The Council and Trust promote awareness of this policy among their user
communities
3 Purpose
To ensure compliance with legal statute and other mandatory controls
To ensure that these valuable assets are protected from loss, from theft and from
misuse by anyone with an illicit requirement to access Council or Trust information
and systems
4 Scope
This document applies to all Councillors, Committees, Departments, Partners,
Employees of the Council, Employees of local Trusts providing services on behalf of
LBC, contractual third parties and agents of the Council and Trusts who use Luton
Borough Council provided IT facilities and equipment, or have access to, or custody
of, Council or Trust customer information.
All users must understand and adopt this policy and are responsible for ensuring
the safety and security of the Council’s systems and the information that they use or
manipulate.
All users have a role to play and a contribution to make to the safe and secure use
of technology and the information that it holds.
5 Definition
Removable media devices include, but are not restricted to the following
• CDs, DVDs, floppy and optical Disks.
• External Hard Drives.
• USB Memory Sticks (also known as pen drives or flash drives).
• Media Card Readers.
6 Risks
Non-compliance with this policy could have a significant effect on the efficient operation of the
Council and may result in financial loss and an inability to provide necessary services to our
customers.
7 Key Messages
• It is Council and Trust policy to prohibit the use of all removable media devices, except
where there is a clear business case for use and this business case has been approved by
the Corporate Strategy Manager.
• Removable media device that has not been purchased through IM procurement must not
be used.
• Where data must be imported from a 3rd party removable media device, the 3rd party
removable media handling procedure must be followed
• All removable media must be virus scanned prior to use
• All PROTECT or RESTRICTED data stored on removable media devices must be
encrypted in compliance with Co-Co minimum standards.
• CONFIDENTIAL information may not be stored on removable media except where agreed
with the SIRO and where other mitigating controls exist
• Damaged or faulty removable media devices must not be used and any fault reported
• Special care must be taken to physically protect the removable media device and stored
data from loss, theft or damage. .
• Removable media devices that are no longer required, or have become damaged, must be
disposed of securely to avoid data leakage.
• Line Managers must retrieve removable media devices from leavers etc.
It is Council and Trust policy to prohibit the use of all removable media devices. The use of
removable media devices will only be approved if a valid business case for its use is developed.
Requests for access to, and use of, removable media devices must incorporate a business case
outlining why removable media is essential and why other channels for remote or mobile working
are not suitable. Approval for their use must be given by the Council’s Corporate Strategy Manager
or their deputy.
Should access to, and use of, removable media devices be approved the following sections apply
and must be adhered to at all times.
Removable media devices and associated equipment and software that is provided for Council or
Trust users must be purchased and installed by Information Management (se also the Council and
Trust’ Software policy).
Non-council owned removable media devices must not be used to store any information used to
conduct official Council business, and must not be used with any Council owned or leased IT
equipment
Where a 3rd party provides data to the Council or Trust using their own removable media, then the
data may be accessed only as described in the 3rd party removable media handling procedure
Where data is copied from the Council’s private network to removable media, the original must
remain on the source system or networked computer at least until the successful transfer of the
data to another networked (and backed up) computer or system is confirmed.
When data on removable media is amended or added to, this data must be copied to the Council’s
private network (where it can be backed up) at the earliest practical opportunity.
When removed form Council or Trust premises, removable media must be protected from theft or
loss as described in the Remote and Mobile Working Acceptable Use Policy
CONFIDENTIAL data may not be stored on removable media except where authorised by the
SIRO and where additional mitigating controls exist.
Each user is responsible for the appropriate use and security of data and for not allowing
removable media devices, and the information stored on these devices, to be compromised in any
way whist in their care or under their control.
Where PROTECT or RESTRICTED data is held the encryption must comply with mandatory
minimum standards as described in the Government Connect Code of Connection (Co-Co). Where
a user is unsure as to whether their removable media complies with these standards they should
raise a query to the IM service desk ‘6666’ or with their local IT Representative. It should be noted
that no USB memory sticks issued by the Council or Trust prior to 2009 are compliant with Co-Co
Users should be aware that the Council may audit / log the transfer of data files to and from all
removable media devices and Council or Trust owned IT equipment.
It is the duty of all users to immediately report suspicious activities and actual or suspected
breaches of information security as described in the Information Security Incident Management
Policy and associated procedure.
Any misuse or irresponsible actions that might affect business data, or result in any loss of data,
should be reported as described in the Information Security Incident Management Policy and
associated procedure.
No third party may receive data or extract information from the Council’s private network except
where this process is compliant with the Council’s Information Classification and Handling Policy
and relevant authorisations and mitigating controls are in existence.
Damaged or faulty removable media devices must not be used. It is the duty of all users to contact
the IM service desk ‘6666’ should a device malfunction. The device must not be used pending
repair of any fault. Where a device is damaged beyond repair the device must be securely disposed
of (see section ‘Disposing of removable media devices’).
.
8.8 Virus scanning
All removable media must be virus scanned prior to any data resident being connected to a Council
or Trust computer or prior to being copied to the Council’s private network. Scanning must follow
the ‘Virus scanning process for removable media’ held on the Council’s Intranet.
Removable media devices that are no longer required or which are obsolete must be surrendered
by users to their Line Manager in the first instance. If the device cannot be usefully re-assigned
within the Department or Service it must be passed to Information Management for secure wiping
and environmentally friendly destruction. Under no circumstances should an obsolete device be
given away or disposed via any channel other than through Information Management
Non-council owned removable media devices must not be used to store any information used to
conduct official Council business, and must not be used with any Council owned or leased IT
equipment
Non Council removable media may only be accessed as described in the section ‘Importing Data
from 3rd Party Removable Media’.
All PROTECT and RESTRICTED data stored on removable media devices must be encrypted
using software or devices that comply with mandatory minimum standards as described in the
Government Connect Code of Connection (Co-Co).
All removable media must be virus scanned as described in the section ‘Virus scanning’
Only data that is both authorised and necessary should be saved on to the removable media
device. Users must note that files and data that have been deleted can still be retrieved
Removable media devices must not to be used for archiving or storing records as an alternative to
other storage equipment
Special care must be taken to physically protect the removable media device as described in the
section ‘Security of Data and Media’.
Copy data to
network
Confirm copy
successful
Securely erase
device
Return / Store /
Destroy device
No removable media device may connect to a Council or Trust computer unless there is a
clear business reason for the connection.
Data may then be loaded as described in the steps ‘scanning removable media’ onwards.
This process of scanning media on a stand alone computer is known as ‘sheep dipping’ i.e.
we ‘dip’ the media with our anti-virus scanners before we allow them to join the rest of the
flock i.e. to talk to any other computer on the Council’s private network.
Where a virus is detected the device must be removed from the unconnected computer
and a call placed on the IM service desk ‘6666’
Users are reminded that Software must only be purchased and installed via Information
Management as described in the ‘Software policy’.
Otherwise
• Removable media devices containing software must be surrendered to Information
Management who will inventory them and place them into their secure, software
library.
• Where removable media has not been securely erased and contains personal data
or data classified as PROTECT or RESTRICTED that must be returned to the
originator, this must be done in person.
Policy enforcement
The interpretation and application of this policy in relation to any alleged non
compliance will be undertaken as follows:
Breaches of this policy will be subject to Council or Trust disciplinary policy and
procedures, contractual terms and conditions and civil and criminal law as
appropriate.
If you do not understand the implications of this policy or how it may apply to you,
please seek advice by submitting an e-mail enquiry to the IM service desk ‘6666’ in
the first instance.
9 Policy Governance
The following table identifies who within Luton Borough Council is Accountable,
Responsible, Informed or Consulted with regards to this policy. The following
definitions apply:
Further Definitions
Council - Within this policy, this definition applies only to Luton Borough Council
Trust - Within this policy, this definition applies Active Luton and Luton Cultural Services
Trust
Council Private Network - A network that is owned or controlled by Luton Borough Council,
which is primarily for the use of Council and Trust employees and which is only accessible
to members of the public or 3rd parties who have been enrolled as per the Council’s
‘Access Control Policy for Information Systems’.
11 References