A forward-thinking UK borough council has moved to prevent the leakage of any data from its network of 4,100 fixed and mobile desktops by issuing 900 tamper-proof and encrypted USB memory sticks to its workforce.
IT staffs at Caerphilly County Borough Council, which is the fourth largest local authority in Wales employing around 9,000 people, have taken the precautionary steps to minimise the operational risk of a security breach, but also to put the body in a better position when faced with regulatory audits.
CBR heard from Vernon Coles, the IT security officer at Caerphilly, and its network development officer Wayne Turner, that the council is known for its proactive stance on data security.
It became the first council in Wales to achieve certification status to the BS ISO/IEC 27001 International IT Security Standards, and earlier had been selected as a pilot site for connection to GCSX, the Government Connect Secure Extranet.
“We’ve been accredited for 27001 since 2003, and end point security is routinely assessed as part of the 6-monthly audit process” Coles explained. The move to lock out foreign, unapproved memory pens was mostly to stop the threat of any data leakage, but the step is also seen as another line of defence against incoming malware, he said.
After a USB pen amnesty, during which employees swapped their unapproved memory sticks for a standardised and fully encrypted approved device, the council started to manage its endpoints using the Safend Protector and Auditor software.
Turner said the system was chosen because it offered a complete audit trail on pen-drive usage, but also because it offered a good level of manageability on the granularity of security policy that can be implemented with the software.
“Previously we had no idea what information was being taken in or out of the organisation. Now we have complete visibility, and if a pen is lost we know its safe because it is encrypted, and if one is found we can identify who has lost it.”
Caerphilly council workers receiving one of the 900 branded USB key-ring devices are advised that each one is carefully logged and its unique serial number registered against the individual employee.
Encrypted USB sticks are a little more expensive than standard devices, but they are one way of safeguarding against a data breach.
There have been too many high profile cases regarding data loss of USB devices throughout the UK, most recently by PA Consulting which lost Home Office details of thousands of criminals which had been stored on a unencrypted computer memory stick.
Turner reports that “users are now comfortable with the new system and they appreciate the importance of taking these preemptive steps to protect the Authority and its employees from any potentially damaging and embarrassing loss of confidential or sensitive data”.