Caerphilly County Borough Council takes a proactive approach to securing removable data

(23/07/2009)

Caerphilly County Borough Council is the 4th largest Local Authority in Wales and employs around 9,000 people making it the largest employer in the area. The Council delivers a wide range of services to the 171,000 people living in the Caerphilly County Borough including education, environmental services, social services, finance, highways, leisure services and consumer protection.

The council takes IT Security very seriously. Of the 410 Local Government Authorities in the UK and Wales it was the second council in the UK and the first council in Wales to achieve certification status to the BS ISO/IEC 27001:2005, International IT Security Standards (previously known as the BS7799 standards). Its forward thinking security policies and adherence to standards also prompted its selection by Government Connect in November 2008 to be a pilot site for connection to GCSX, the Government Connect Secure Extranet linking it into other secure networks such as the Police, NHS, Criminal Justice Secure Mail, and the Probation Service.

Advances in USB technology have introduced a number of convenient and physically very small devices that can store vast amounts of data. There have been many high profile cases regarding data loss of USB devices throughout UK, and Caerphilly CBC wanted to minimise these risks to the Authority and ensure that their staff and the public were protected from similar incidents. With this in mind the Corporate IT Security Forum Group embarked on a search for an ‘Endpoint Security’ solution to address the threats posed by removable media.

The IT Security team in conjunction with Procurement established a comprehensive tender requirements document with two critical requirements: the chosen solution had to be 100% tamper proof, as well as maintaining a comprehensive audit trail.

"It was recognised very early on in the project that the Authority had a fundamental mandatory requirement to fulfil. The chosen solution must be able to identify (where possible) the unique serial number held within the removable device media. This enables us to link specific devices to an individual, and it also allows us to maintain auditable records within the system, the IT ordering process and our asset management system", said Vernon Coles, Principal I.T. Security Officer.

Following a detailed tender process, software evaluation and an independent penetration security test by a leading third party consultancy organisation, whose remit was to find any potential vulnerability in the software, the council selected the Safend Protector and Auditor solution, which passed all stringent security tests.

The council’s implementation team worked closely with Safend’s distributor Vigil Software on the design and implementation plan. “Vigil was excellent throughout the process in the professional and helpful way in which they conducted themselves throughout the tendering, design and deployment stages. Their support team was responsive and helpful at all times and quick to offer constructive and practical advice and assistance at every step of the way,” comments Wayne Turner, Network Development Officer.

During 2008 the Safend product was deployed on the Authorities’ PCs and laptops in "monitoring mode". This allowed the security team to get a complete picture of the removable devices in use in the organization and the files that had been written to those devices retrospectively since the PCs had been commissioned. The results gave the security team an idea of the scale of the project they were embarking on by providing them with a complete audit trail and visibility for any data entering or leaving the Authority either on USB device, mass storage, CD or DVD.

As a next stage the IT security team conducted a user awareness exercise to ensure that all Caerphilly CBC employees had a full understanding of the acceptable usage policy for USB removable devices, and also explained to all employees that because the entire USB device itself will be strongly encrypted then there would be no compromise to confidential data should the pen drive be accidentally lost or stolen.

This awareness approach was combined with a USB amnesty, asking users to return their non-Caerphilly CBC USB pen drives for replacement Safend encrypted branded USB pen drive, subject to the provision of a business justification for their usage. They were also advised that each device was carefully logged and its unique serial number registered against the individual employee, allowing it to be instantly identified in the event of it being misplaced or stolen.

In September 2008 the Authority implemented a full lock down policy, allowing only encrypted, unique serial numbered, Caerphilly CBC branded USB pen drives to be accessed by approved staff. After an initial flurry of support desk calls from users finding unauthorised pen drives blocked, Wayne Turner reports that the system is now well bedded in. He reports that “users are now comfortable with the new system and they appreciate the importance of taking these preemptive steps to protect the Authority and its employees from any potentially damaging and embarrassing loss of confidential or sensitive data”.

Vernon Coles admits to being satisfied with the Safend Protector solution, which provides strong data protection and robust central management. He adds, "Safend Protector's extremely granular policies have allowed us the flexibility to enforce our corporate policies for a range of removable storage devices in confidence, enabling us to protect the confidentiality of the Authorities data held on these types of devices.”

Related topics:  Computer and PC Security   Data management and data security 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources