This guidance note is directed towards raising an awareness of the privacy risks associated with the use of PSDs in business and government.
Managing the risks of PSD use
Introduce and actively communicate policies that set out how staff may use PSDs
Minimise the use of personal PSDs in the workplace
Actively monitor the use of PSDs for compliance with policies
Portable Storage Devices (PSDs) are small, lightweight, portable, easy to use devices capable of storing and transferring large volumes of information. They include USB sticks, cell phones, iPods, PDAs (personal digital assistants), and smart phones such as BlackBerrys and iPhones.
They are commonly used in both business and government, and widely used in the community. While advances in technology are transforming the way we work, it is easy to be blinded by the positives and fail to recognise and take account of the risks that the uses of PSDs also bring.
Managing the risks of PSD use
Because of their small size, PSDs can be easily lost, misplaced or stolen. If there are no controls to limit access to information contained on the PSD, there could be significant impacts that result from the information being compromised.
Information contained on a PSD can also be compromised through the operation of malware (malicious software) such as viruses, keystroke loggers, and spyware. The malware may also be inadvertently transferred to an agency or business main computer system when the user communicates wirelessly using the PSD or physically connects the PSD into their office computer.
As several high-profile incidents overseas illustrate, these data breaches can seriously damage both the reputation of the agency concerned and the trust that the public has in that agency. This applies equally to those in business.
We recommend that you take these five steps to help safeguard personal information against the risks associated with using PSDs:
1. Assess the risks associated with using PSDs in your organisation.
2. Introduce and actively communicate policies that set out how staff may use PSDs.
3. Minimise the use of personal PSDs in the workplace.
4. Introduce software or hardware controls (or both) to restrict use of PSDs.
5. Actively monitor the use of PSDs for compliance with policies.
The risk assessment exercise can be split into four components:
1. identify the risks associated with PSD use across the different activities within the organisation;
2. consider what the impacts would be if the risk event occurred;
3. evaluate the likelihood that the risk will occur; and
4. decide on a response to mitigate each identified risk.
We recommend a risk averse approach which identifies the worse case scenario and develops a response that mitigates that level of impact. This approach is likely to take care of lower level impacts automatically.
Here are some questions that you might like to consider when completing the risk assessment exercise:
What types of personal information are usually stored on PSDs?
Some information about an individual is more likely to cause significant (physical, financial or psychological) harm if it is compromised, for example, sensitive health or financial information.
Some individuals may also be at particular risk, for example, those in child or witness protection schemes.
What types of PSD are used to handle personal information?
Some PSDs have more functionality to safeguard information held on the device.
How often are PSDs used?
The greater the use of PSDs the more likely it is that they may be compromised.
Are personal PSDs allowed to be used in the workplace?
The use of personal PSDs in the workplace increases the likelihood of information being compromised. We recommend minimising their use in the workplace (see step 3).
What controls are in place to manage the use of PSDs?
We recommend that organisations that hold large amounts of personal information should not rely solely on policy but also use hardware and/ or software controls to restrict or control the use of all PSDs (see step 4).
A comprehensive policy can help to mitigate some of the risks associated with the use of PSDs.
We recommend that PSD policy should include:
• what a PSD is;
• the risks associated with PSDs;
• the control measures in place that relate to PSDs;
• the appropriate use of PSDs, including details about:
– what information may be placed on PSDs;
– what types of PSDs can be used and what types of information can be placed on selected devices;
– how to transfer data using PSDs;
– how and when to delete data from PSDs;
– in what circumstances a PSD can be shared;
– whether a personal PSD can be used for work purposes and what conditions are placed on its use;
– whether a work-owned PSD can also be used for personal use and what conditions are placed on its use;
– password and encryption requirements;
– what to do in the case of loss, stolen, or misplaced PSDs;
– what to do in the event of a security breach;
– what disciplinary actions may be taken against staff where policy is not followed;
– responsibilities of the user for care and handling of PSDs; and
– what to do with damaged or obsolete PSDs.
For policies to be effective they must be actively communicated to staff on a regular basis. Staff should be made aware of the policy at induction, before being issued with a work-owned PSD, and through regular activities to promote continued staff awareness.
The use of personal PSDs in the workplace increases the likelihood of information being compromised. For example:
-• the care accorded to personally owned PSDs is likely to be less than for work-owned devices;
•- personal PSDs are less likely to have up to date security features enabled and hence are more likely to be subject to malware attacks;
•- an organisation can more easily manage software, access controls, and other safeguards on a work-owned PSD;
•- departing employees are more likely to accidently take away personal PSDs containing work information; and
– unauthorised people are more likely to access personal PSDs at the staff member’s home, either inadvertently or by simply borrowing the device.
We recommend strict limits on the use of personal PSDs, in combination with providing suitable work-owned PSDs. Where personal PSDs are allowed, we suggest that you adopt the following policies and controls to minimise the risks:
• – obtain management approval before personal PSDs are used for business purposes;
• – personal PSDs must have equivalent security standards to work-owned devices;
• – personal PSDs must be recorded on a register alongside work-owned devices;
• – personal PSDs used for work purposes must not be shared with non-staff; and
– employment cessation procedures must include steps to verify that business information is removed from personal PSDs.
Organisations that hold large amounts of personal information should not rely solely on policy but also use hardware and/or software controls to restrict or control the use of PSDs.
Hardware controls may include physically disconnecting, removing or sealing off communications ports.
Software controls include the use of encryption, access controls, and malware protection.
We recommend that:
-• encryption should be used for all PSDs that are likely to store personal information;
•- access controls on PSDs are enabled to limit unauthorised access. These could include high strength power on, screensaver and account passwords;
•- where the device permits, organisations should install anti-malware software on all PSDs used to store personal or sensitive information to counter the threats of malware such as viruses and spyware; and
•- the security limitations of different types of PSD are considered during the procurement process.
Step 5 – Actively monitor the use of PSDs for compliance with policies
Organisations that hold large volumes of personal or sensitive information should consider installing software that can track the use of PSDs. This is an invaluable tool to allow for regular monitoring for inappropriate practices, minimising the risk that information will be compromised.
The use of a PSD register is another tool to keep track of PSDs in an organisation. However a register will soon lose its worth unless regular audits are undertaken to confirm that all PSDs are accounted for.
We recommend that you actively audit compliance with PSD usage policies.