Salford City Council – Corporate RSD Usage Policy

Corporate Removable Storage Devices Usage Policy

for

All councillors and officers (including third party agents, temporary, contract staff and anyone who comes into contact with council information)

Effective Date: December 2008

Version 0.15

D R A F T

Document Control
Version Control / History
Name / Description / Date
Tad Ligman / Draft / 21st / Nov / 2008
David Sackfield / Agreed V1-00 / 1st / Dec / 2008
Approvals
Name / Position / Date Approved
Salford City Council / Strategic Director Customer & Support Services / Dec / 2008

INTRODUCTION

Salford City Council (SCC) is reliant on information for the delivery of a diverse range of services to citizens, visitors, partners, businesses and other organisations in Salford. SCC must therefore ensure its information assets are protected and used in a responsible manner, solely to further council objectives, for the benefit of the stakeholders it serves.

In certain instances, council information is shared in line with legal and regulatory requirements within and between directorates, and in some cases with external organisations. SCC must therefore adopt, implement and maintain a suitably designed Removable Storage Device (RSD) Policy, which clearly defines the responsibilities of all councillors and officers, including third-party agents of the council, temporary, contract staff, partners and anyone who comes into direct or otherwise contact with council information via such devices.

This policy has been specifically brought in to bring the council into compliance with the Gov Connect[1] and Payment Card Industry Data Security Standards (PCI DSS) standards. These conditions are mandatory on the council and all council officials, who come into contact with council information or information systems.

This is a living document and over time, it may become necessary to apply alterations to its contents, thereby keeping it in line with security changes to the corporate working environment.

PURPOSE

This document describes the policy for the acceptable usage of Removable Storage Devices (RSD) within SCC.

This policy does not prevent the use such devices, but rather informs users of what they can or cannot do and the consequences for not complying with the terms of this policy. Use of such devices is permitted for authorised business purposes only.

This policy covers all RSDs which can be connected via a number means such as,

  • a Universal Serial Bus (USB) stick, pen drive, flash drive, etc.
  • an iPod, iPhone or Smartphone
  • any XDA or Personal Digital Assistant (PDA) devices
  • any type of memory cards e.g. compact flash, Secure Digital (SD) card, XD card
  • Peripheral Component Interconnect (PCI) / PC Card / Personal Computer Memory Card International Association (PCMCIA)
  • a camera with a USB (or other) drive connection
  • Other data storage devices e.g. CD-ROM, DVD, external hard drives
  • Bluetooth
  • Wi-Fi
  • Infra Red (IR)

ACCEPTABLE USAGE

RSD Devices

The council supplies a range of approved, RSDs for authorised business purposes/use only. This includes secure encrypted devices and non-secure devices for general use – see data transportation policy for guidance on transportation of data. Please contact the ICT help desk or use the Report It /Request It to place an order for a USB pen (secured or non-secured).

User Responsibilities

User responsibilities are defined as:

  • They should ensure the security of any RSDs in their possession.
  • RSDs must not be used to bring unauthorised data or malicious code onto the SCC network
  • An RSD should not be used to copy / transport data without appropriate permission
  • RSDs must not be used in a way that contravenes any legislation e.g. Data Protection Act (DPA)
  • They should report any loss or suspected loss of an RSD that contains data that is protectively marked, personal data or could cause the council to suffer financial loss or reputational damage

Use of Non ICT supplied RSD’s

Directorates can procure their own RSDs and line management can authorise the use of private devices but restrictions apply to such usage, such that devices must not be used to transport / hold any data that:

  • is protectively marked restricted or higher
  • is identified as sensitive personal or personal data as defined by the DPA
  • if lost would result in the council suffering financial loss or reputational damage

It is recommended that non council devices are not plugged in to be charged e.g. iPods, MP3 players, etc, such action is only permissible with line management approval.

Disciplinary

All users are required to comply with this policy and any breaches will be reported to management who will liaise with Human Resources on disciplinary action which could include dismissal depending on the nature of data and activity detected.

Page 1 of 4Corporate Information Resources Team

[1] Gov connect is a national strategy for the safe and secure communications between government bodies in the UK.