Protecting sensitive data in transit

For City of London Police, information leakage isn’t just business-critical, it is a matter of life or death. Loss of life could be the ultimate price to pay should sensitive data being transported by police officers be mislaid. That’s why City of London Police has taken industry-leading steps to make sure that an electronic data breach remains unlikely.

With its Wood Street headquarters just steps from the financial heart of London and a beat covering the Square Mile, City of London Police is focused on white-collar crime such as fraud, and in combating terrorist attacks within the City. Established in 1829, City of London Police is today the UK’s lead force in countering fraud.
City of London Police is also involved in implementing the Home Office IMPACT program, designed to improve the ability of the UK police service to manage and share information between police forces to prevent crime and provide safer communities.
Defining best practice in this field has also required City of London Police to develop a model IT governance policy in order to protect information within, and from outside, its own network. Over the last five years, the force has taken sweeping measures to protect its electronic borders and defend the integrity of its information. In addition to a comprehensive and rigorous IT security policy, all potential points for electronic data leakage have been systematically identified and secured.
As well as safeguards against unauthorised electronic transmission of data, City of London Police has taken steps to prevent ‘thumbsucking’ – the unauthorised copying of data onto portable storage devices.
To achieve this it has locked down USB computer ports on all computers.
However, the force also recognised that a complete system lockdown would be counter-productive, as officers and administrative staff still needed to physically move data around during investigations and operations, and when interchanging intelligence with other forces, such as the neighbouring Metropolitan Police Service (MPS).
Therefore, City of London Police has established and implemented secure procedures for anyone who wants to bring in, or take out, digital information – issuing secure, personal portable storage devices to authorised officers and civilians.
The threat of electronic data leakage came to the forefront when City of London Police upgraded to a Windows 2000 Professional-based network in 2005.
Beforehand, the unauthorised copying of data was less of an issue since USB ports were simply not recognised by the earlier Windows NT 4.0 operating system, and all USB devices were disabled at basic input-output system (BIOS) level. However, in planning the upgrade, City of London Police’s head of Information management, Gary Brailsford-Hart, was well aware of the new challenges he would face.

Data management
After evaluating various options, Mr Brailsford-Hart secured all USB ports with DeviceLock, a sophisticated solution that not only controls device-level access but also logs information copied to and from permitted USB devices and drives.
To harden the security policy, City of London Police regulations state that officers and civilians may only be issued with portable media devices once they have successfully submitted a written risk assessment – with the policy applying to all portable storage media, from a humble 1.44Mb floppy disk drive through to portable hard-drives with capacities running into hundreds of Gb.
This comprehensive set of measures ensures watertight control of portable storage devices within the police network, but it left information management head Mr Brailsford-Hart looking for the missing link in the puzzle: control of portable storage and the possible consequences should sensitive, unprotected data be lost or stolen while outside the force’s four walls.
Mr Brailsford-Hart explained: “Information leakage represents the greatest risk to our integrity. There is a risk to life if information from our systems is rel