How To
How To Tell If That USB Download Is Really Worth the Security Risk
A new scoring methodology used by City of London Police helps officers see whether the risks involved with sharing data are worth the benefits.
By Malcolm Wheatley
April 22, 2008 —
Some of the most sensitive digital data in London resides on the servers of the City of London Police--and a great deal of effort goes into making sure that it isn't downloaded onto portable devices and then lost or stolen.
Some of the precautions are technical, says Gary Brailsford, CIO and head of information management at the City of London Police, which is tasked with policing London's financial district, the so-called "Square Mile." (The Metropolitan police force handles the general policing of London.) Officers' desktop computers, for example, are configured so that data must be stored on secure, centrally-managed network drives, rather than local C: drives. The use of e-mail for file sharing is actively discouraged, and is monitored. Software from security vendor DeviceLock prevents data being downloaded onto floppy drives or USB "thumb" drives. And when it is necessary to use portable media--for instance, so that data can be shared with external agencies such as the Crown Prosecution Service and the Serious Fraud Office--the department has a preferred device: MXI Security's Stealth MXP biometric USB drive.
Rather than just leaving it up to officers to decide when they can use the biometric USB drive, however, the department has created a detailed risk-assessment policy--one that not only establishes a framework for making decisions, but also allows officers insight into the process.
Here's how it works. Before an officer can download any data onto removable media, he or she must file a formal application to do so, and explain what information is involved, how sensitive it is, its security classification, why downloading is required, what steps will be taken to protect it, and what the consequences of loss might be.
Based on the answers, officers themselves can then apply two scoring methodologies used by decision-makers--one for risks involved in sharing the data, the other for benefits accruing. In doing so, they can see the likelihood of their request being granted, and at what security level the decision will be made. This part of the form isn't mandatory, explains Brailsford, but is included for informational purposes and to demonstrate transparency into the process. (Read on to see an excerpt from the risk assessment, including the scoring mechanism.)
Completed applications that show excessive risk without the necessary benefit are turned down, Brailsford says. Alternatively, officers requesting permission to, say, download data onto CD-ROMs might be directed to use more secure means, such as the biometric USB device. As a final backstop, the downloading of information with the very highest security classifications is simply prohibited.
Data Center Directions Virtual Conference
Attend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.
Maximizing Site Visitor Trust Using Extended Validation SSL
Now with Extended Validation (EV) SSL available from VeriSign, you can show your customers that they can trust your site. Learn about EV SSL benefits in the free VeriSign white paper.
- The Latest Advancements in SSL Technology
- Maximizing Site Visitor Trust Using Extended Validation SSL
- How to Offer the Strongest SSL Encryption
- Solving Online Credit Fraud Using Device Reputation
- Forrester Reports 321% ROI Through Device-Based Fraud Management
- Enterprise Management Associates: Taking the Botnet Threat Seriously
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
7th Annual Digital ID World
-
September 8 - 10, 2008Hilton AnaheimRegister now »
Anaheim, California
(ISC)2 members can earn up to 20 CPE Credits
Reference priority code ONLINE and save $800 off the full registration price — attend the program for $995
