Document 16040627

advertisement
Corporate Removable Storage Devices Usage Policy
for
All councillors and officers (including third
party agents, temporary, contract staff and
anyone who comes into contact with council
information)
Effective Date: December 2008
Version 0.15
DRAFT
Salford City Council – Corporate RSD Usage Policy
Document Control
Version Control / History
Name
Description
Date
Tad Ligman
Draft
21st
Nov
2008
David Sackfield
Agreed V1-00
1st
Dec
2008
Approvals
Name
Position
Date Approved
Salford City Council
Strategic Director Customer & Support Services
Page 2 of 4
Dec
2008
Corporate Information Resources Team
Salford City Council – Corporate RSD Usage Policy
INTRODUCTION
Salford City Council (SCC) is reliant on information for the delivery of a diverse range of
services to citizens, visitors, partners, businesses and other organisations in Salford. SCC must
therefore ensure its information assets are protected and used in a responsible manner, solely
to further council objectives, for the benefit of the stakeholders it serves.
In certain instances, council information is shared in line with legal and regulatory requirements
within and between directorates, and in some cases with external organisations. SCC must
therefore adopt, implement and maintain a suitably designed Removable Storage Device (RSD)
Policy, which clearly defines the responsibilities of all councillors and officers, including thirdparty agents of the council, temporary, contract staff, partners and anyone who comes into
direct or otherwise contact with council information via such devices.
This policy has been specifically brought in to bring the council into compliance with the Gov
Connect1 and Payment Card Industry Data Security Standards (PCI DSS) standards. These
conditions are mandatory on the council and all council officials, who come into contact with
council information or information systems.
This is a living document and over time, it may become necessary to apply alterations
to its contents, thereby keeping it in line with security changes to the corporate
working environment.
PURPOSE
This document describes the policy for the acceptable usage of Removable Storage Devices
(RSD) within SCC.
This policy does not prevent the use such devices, but rather informs users of what they can or
cannot do and the consequences for not complying with the terms of this policy. Use of such
devices is permitted for authorised business purposes only.
This policy covers all RSDs which can be connected via a number means such as,
 a Universal Serial Bus (USB) stick, pen drive, flash drive, etc.
 an iPod, iPhone or Smartphone
 any XDA or Personal Digital Assistant (PDA) devices
 any type of memory cards e.g. compact flash, Secure Digital (SD) card, XD card
 Peripheral Component Interconnect (PCI) / PC Card / Personal Computer Memory Card
International Association (PCMCIA)
 a camera with a USB (or other) drive connection
 Other data storage devices e.g. CD-ROM, DVD, external hard drives
 Bluetooth
 Wi-Fi
 Infra Red (IR)
1
Gov connect is a national strategy for the safe and secure communications between government bodies in the
UK.
Page 3 of 4
Corporate Information Resources Team
Salford City Council – Corporate RSD Usage Policy
ACCEPTABLE USAGE
RSD Devices
The council supplies a range of approved, RSDs for authorised business purposes/use only.
This includes secure encrypted devices and non-secure devices for general use – see data
transportation policy for guidance on transportation of data. Please contact the ICT help desk or
use the Report It /Request It to place an order for a USB pen (secured or non-secured).
User Responsibilities
User responsibilities are defined as:
 They should ensure the security of any RSDs in their possession.
 RSDs must not be used to bring unauthorised data or malicious code onto the SCC network
 An RSD should not be used to copy / transport data without appropriate permission
 RSDs must not be used in a way that contravenes any legislation e.g. Data Protection Act
(DPA)
 They should report any loss or suspected loss of an RSD that contains data that is
protectively marked, personal data or could cause the council to suffer financial loss or
reputational damage
Use of Non ICT supplied RSD’s
Directorates can procure their own RSDs and line management can authorise the use of private
devices but restrictions apply to such usage, such that devices must not be used to transport / hold
any data that:
 is protectively marked restricted or higher
 is identified as sensitive personal or personal data as defined by the DPA
 if lost would result in the council suffering financial loss or reputational damage
It is recommended that non council devices are not plugged in to be charged e.g. iPods, MP3 players,
etc, such action is only permissible with line management approval.
Disciplinary
All users are required to comply with this policy and any breaches will be reported to management
who will liaise with Human Resources on disciplinary action which could include dismissal depending
on the nature of data and activity detected.
Page 4 of 4
Corporate Information Resources Team
Download