Corporate Removable Storage Devices Usage Policy for All councillors and officers (including third party agents, temporary, contract staff and anyone who comes into contact with council information) Effective Date: December 2008 Version 0.15 DRAFT Salford City Council – Corporate RSD Usage Policy Document Control Version Control / History Name Description Date Tad Ligman Draft 21st Nov 2008 David Sackfield Agreed V1-00 1st Dec 2008 Approvals Name Position Date Approved Salford City Council Strategic Director Customer & Support Services Page 2 of 4 Dec 2008 Corporate Information Resources Team Salford City Council – Corporate RSD Usage Policy INTRODUCTION Salford City Council (SCC) is reliant on information for the delivery of a diverse range of services to citizens, visitors, partners, businesses and other organisations in Salford. SCC must therefore ensure its information assets are protected and used in a responsible manner, solely to further council objectives, for the benefit of the stakeholders it serves. In certain instances, council information is shared in line with legal and regulatory requirements within and between directorates, and in some cases with external organisations. SCC must therefore adopt, implement and maintain a suitably designed Removable Storage Device (RSD) Policy, which clearly defines the responsibilities of all councillors and officers, including thirdparty agents of the council, temporary, contract staff, partners and anyone who comes into direct or otherwise contact with council information via such devices. This policy has been specifically brought in to bring the council into compliance with the Gov Connect1 and Payment Card Industry Data Security Standards (PCI DSS) standards. These conditions are mandatory on the council and all council officials, who come into contact with council information or information systems. This is a living document and over time, it may become necessary to apply alterations to its contents, thereby keeping it in line with security changes to the corporate working environment. PURPOSE This document describes the policy for the acceptable usage of Removable Storage Devices (RSD) within SCC. This policy does not prevent the use such devices, but rather informs users of what they can or cannot do and the consequences for not complying with the terms of this policy. Use of such devices is permitted for authorised business purposes only. This policy covers all RSDs which can be connected via a number means such as, a Universal Serial Bus (USB) stick, pen drive, flash drive, etc. an iPod, iPhone or Smartphone any XDA or Personal Digital Assistant (PDA) devices any type of memory cards e.g. compact flash, Secure Digital (SD) card, XD card Peripheral Component Interconnect (PCI) / PC Card / Personal Computer Memory Card International Association (PCMCIA) a camera with a USB (or other) drive connection Other data storage devices e.g. CD-ROM, DVD, external hard drives Bluetooth Wi-Fi Infra Red (IR) 1 Gov connect is a national strategy for the safe and secure communications between government bodies in the UK. Page 3 of 4 Corporate Information Resources Team Salford City Council – Corporate RSD Usage Policy ACCEPTABLE USAGE RSD Devices The council supplies a range of approved, RSDs for authorised business purposes/use only. This includes secure encrypted devices and non-secure devices for general use – see data transportation policy for guidance on transportation of data. Please contact the ICT help desk or use the Report It /Request It to place an order for a USB pen (secured or non-secured). User Responsibilities User responsibilities are defined as: They should ensure the security of any RSDs in their possession. RSDs must not be used to bring unauthorised data or malicious code onto the SCC network An RSD should not be used to copy / transport data without appropriate permission RSDs must not be used in a way that contravenes any legislation e.g. Data Protection Act (DPA) They should report any loss or suspected loss of an RSD that contains data that is protectively marked, personal data or could cause the council to suffer financial loss or reputational damage Use of Non ICT supplied RSD’s Directorates can procure their own RSDs and line management can authorise the use of private devices but restrictions apply to such usage, such that devices must not be used to transport / hold any data that: is protectively marked restricted or higher is identified as sensitive personal or personal data as defined by the DPA if lost would result in the council suffering financial loss or reputational damage It is recommended that non council devices are not plugged in to be charged e.g. iPods, MP3 players, etc, such action is only permissible with line management approval. Disciplinary All users are required to comply with this policy and any breaches will be reported to management who will liaise with Human Resources on disciplinary action which could include dismissal depending on the nature of data and activity detected. Page 4 of 4 Corporate Information Resources Team