POLICY ON CONTROL OF REMOVABLE MEDIA

Purpose

This document states the Removable Media policy for COMPANY NAME . The policy
establishes the principles and working practices that are to be adopted by all users
in order for data to be safely stored and transferred on removable media.

This policy aims to ensure that the use of removable media devices is controlled in
order to:
 Enable the correct data to be made available where it is required.
 Maintain the integrity of the data.
 Prevent unintended or deliberate consequences to the stability of COMPANY
NAME . Computer network.
 Avoid contravention of any legislation, policies or good practice
requirements.
 Build confidence and trust in the data that is being shared between systems.
 Maintain high standards of care in ensuring the security of Protected and
Restricted information.
 Prohibit the disclosure of information as may be necessary by law.

Scope

This policy applies to all Departments, Partners, Employees of the Council,

contractual third parties and agents of the Council who have access to COMPANY
NAME . Information, information systems or IT equipment and intends to store any
information on removable media devices.

Definition

This policy should be adhered to at all times, but specifically whenever any user
intends to store any information used by the COMPANY NAME to conduct official
business on removable media devices.
Removable media devices include, but are not restricted to the following:
 CDs.
 DVDs.
 Optical Disks.
 External Hard Drives.
 USB Memory Sticks (also known as pen drives or flash drives).
 Media Card Readers.
 Embedded Microchips (including Smart Cards and Mobile Phone SIM Cards).
 MP3 Players.
 Digital Cameras.
 Backup Cassettes.
 Audio Tapes (including Dictaphones and Answering Machines).

Risks

COMPANY NAME. Recognizes that there are risks associated with users accessing
and handling information in order to conduct official COMPANY NAME business.
Information is used throughout the COMPANY NAME and sometimes shared with
external organizations and applicants. Securing PROTECTS or RESTRICTED data is
of paramount importance – particularly in relation to the COMPANY NAME ’s need
to protect data in line with the requirements of the Data Protection. Any loss of the
ability to access information or interference with its integrity could have a
significant effect on the efficient operation of the COMPANY NAME. It is therefore
essential for the continued operation of the COMPANY NAME that the
confidentiality, integrity and availability of all information recording systems are
maintained at a level, which is appropriate to the COMPANY NAME ’s needs.

This policy aims to mitigate the following risks:

 Disclosure of PROTECT and RESTRICTED information as a consequence of

loss, theft or careless use of removable media devices.
  Contamination of COMPANY NAME networks or equipment through the
introduction of viruses through the transfer of data from one form of IT
equipment to another.
 Potential sanctions against the COMPANY NAME or individuals imposed by
the Information Commissioner’s Office as a result of information loss or
misuse.
 Potential legal action against the COMPANY NAME or individuals as a result
of information loss or misuse.
 COMPANY NAME reputational damage as a result of information loss or
misuse.
Non-compliance with this policy could have a significant effect on the efficient
operation of the COMPANY NAME and may result in financial loss and an inability
to provide necessary services to our customers.

Policy Statement

COMPANY NAME Will ensure the controlled use of removable media devices to store
and transfer information by all users who have access to information, information
systems and IT equipment for the purposes of conducting official Council business.

Applying the Policy

Restricted Access to Removable Media

It is COMPANY NAME Policy to prohibit the use of all removable media devices. The
use of removable media devices will only be approved if a valid business case for its
use is developed. There are large risks associated with the use of removable
media, and therefore clear business benefits that outweigh the risks must be
demonstrated before approval is given.

Requests for access to, and use of, removable media devices must be made to IT
Manager. Approval for their use must be given by Chief Information Security Officer
(CISO).
Should access to, and use of, removable media devices be approved the following
sections apply and must be adhered to at all times.

Procurement of Removable Media

All removable media devices and any associated equipment and software must only
be purchased and installed by IT Services. Non-COMPANY NAME owned
removable media devices must not be used to store any information used to
conduct official COMPANY NAME business, and must not be used with any
COMPANY NAME owned or leased IT equipment.

The only equipment and media that should be used to connect to COMPANY NAME
equipment or the COMPANY NAME network is equipment and media that has been
purchased by the COMPANY NAME and approved by the IT Manager or has been
sanctioned for use by the CISO.

Security of Data

Data that is only held in one place and in one format is at much higher risk of being
unavailable or corrupted through loss, destruction or malfunction of equipment than
data which is frequently backed up. Therefore removable media should not be the
only place where data obtained for COMPANY NAME purposes is held. Copies of
any data stored on removable media must also remain on the source system or
networked computer until the data is successfully transferred to another networked
computer or system.

In order to minimize physical risk, loss, theft or electrical corruption, all storage
media must be stored in an appropriately secure and safe environment.

Each user is responsible for the appropriate use and security of data and for not
allowing removable media devices, and the information stored on these devices, to
be compromised in any way whist in their care or under their control.
All data stored on removable media devices must, where possible, be encrypted. If
this is not possible, then all PROTECT or RESTRICTED data held must be encrypted.

Users should be aware that the COMPANY NAME will audit / log the transfer of
data files to and from all removable media devices and COMPANY NAME -owned IT
equipment.

Incident Management

 It is the duty of all users to immediately report any actual or suspected

breaches in information security to the CISO who will initialize process as
outlined within the Information Security Incident Management Policy.
 It is the duty of all stakeholders to report any actual or suspected breaches in
information security to the CISO or the ISC.
 Any misuse or irresponsible actions that affect business data, or any loss of
data, should be reported as a security incident to the CISO or ISC.

Third Party Access to COMPANY NAME Information

 No third party (external contractors, partners, agents, and the public or non-
employee parties) may receive data or extract information from the
COMPANY NAME ’s network, information stores or IT equipment without
explicit agreement from the CISO.
 In the event, any third parties are allowed access to COMPANY NAME
information then all the considerations of this policy apply to their storing and
transferring of the data.

Preventing Information Security Incidents

 Damaged or faulty removable media devices must not be used. It is the duty
of all users to contact IT Department should removable media be damaged.
 Virus and malware checking software approved by the IT Department must
be operational on both the machine from which the data is taken and the
machine on to which the data is to be loaded. The data must be scanned by
 virus checking software products, before the media is loaded on to the
receiving machine.

 Whilst in transit or storage the data held on any removable media devices
must be given appropriate security according to the type of data and its
sensitivity. Encryption or password control must be applied to the data files
unless there is no risk to the COMPANY NAME , other organizations or
individuals from the data being lost whilst in transit or storage.

Disposing of Removable Media Devices

Removable media devices that are no longer required, or have become damaged,
must be disposed of securely to avoid data leakage. Any previous contents of any
reusable media that are to be reused, either within the COMPANY NAME or for
personal use, must be erased. This must be a thorough removal of all data from the
media to avoid potential data leakage using specialist software and tools. All
removable media devices that are no longer required, or have become damaged,
must be returned to IT Department for secure disposal.

For advice or assistance on how to thoroughly remove all data, including deleted
files, from removable media contact the IT Manager.

User Responsibility

All considerations of this policy must be adhered to at all times when using all types
of removable media devices. However, special attention must be paid to the
following when using USB memory sticks (also known as pen drives or flash drives),
recordable CDs, DVDs and diskettes:
 Any removable media device used in connection with COMPANY NAME
equipment or the network or to hold information used to conduct official
COMPANY NAME business must only be purchased and installed by IT
Department. Any removable media device that has not been supplied by IT
must not be used.
  All data stored on removable media devices must be encrypted where
possible.
 Virus and malware checking software must be used when the removable
media device is connected to a machine.
 Only data that is authorized and necessary to be transferred should be saved
on to the removable media device. Data that has been deleted can still be
retrieved.
 Removable media devices must not to be used for archiving or storing
records as an alternative to other storage equipment.
 Special care must be taken to physically protect the removable media device
and stored data from loss, theft or damage. Anyone using removable media
devices to transfer data must consider the most appropriate way to transport
the device and be able to demonstrate that they took reasonable care to
avoid damage or loss.

For advice or assistance on how to securely use removable media devices, please
contact the IT Manager.

Enforcement

If any user is found to have breached this policy, they may be subject to COMPANY
NAME . Disciplinary Policy and related procedures. If a criminal offence is
considered to have been committed further action may be taken to assist in the
prosecution of the offender(s).

If you do not understand the implications of this policy or how it may apply to you,
seek advice from CISO.