The Commissioner comments that "Portable Storage Devices continue to pose privacy risks for the public sector", with the survey revealing that "a disappointing number of organisations have showed no improvement as compared with the 2008 results".
The 2011 survey sought to gauge the degree to which the Victorian public sector entities surveyed in 2008 had improved their management of portable storage devices (PSDs) such as USB drives and to explore the management of new devices such as tablets. The Commissioner notes that -
Seven organisations, including three local councils, still had no documented policies and procedures to control the use of PSDs, despite the fact that I recommended in the first survey report that, at a minimum, organisations require them.The report covers 31 of the 55 entities surveyed in 2008. The Commissioner notes that
The fact that 12 organisations still do not restrict the use of PSDs in the face of risks such as those posed by portable external hard drives is unacceptable and that 16 organisations failed to provide any encryption at all on PSDs raises serious doubts as to whether these organisations are taking reasonable steps to secure personal information in compliance with IPP 4 (Data Security). The reality is that these devices now have the capacity to store an organisation’s entire data holdings.
It is difficult to see how organisations that have obligations to manage personal information properly can ignore this significant data security risk. They do so at their peril.
Smartphones, tablets and portable external hard drives represent significant technological advances since 2008. While these technologies can provide great benefits to the workplace they also create additional privacy risks. Portable Storage Device policies should be substantially expanded to cater for the full range of issues raised by the use of these technologies.The report features several recommendations, most of which are directly applicable to public/private sector bodies across Australia -
1. Storage Device Developments
1(a) Organisations should ensure that the use of portable external hard drives is strictly controlled. They pose a major risk to data stores.
1(b) All active ports in a computer fleet should be controlled: not just USB ports.
1(c) Organisations should purchase hardware-encrypted USB keys. They are widely available, reasonably priced and more effective than those which come with encryption software.
2. Smartphones and Tablets
2(a) Organisations should ensure that information and document integrity is not compromised by the use of tablets.
2(b) If cloud services are to be utilised for tablets and smartphones, ensure that personal information is protected as per the Information Privacy Act.
2(c) Portable Storage Device policies should be substantially expanded to cater for the full range of issues raised by the use of tablets and smartphones.
2(d) Organisations should ensure that systems administrators are given full authority to uphold policies and controls regardless of the source of network access requests.
3. Endpoint Security Products
3(a) Endpoint security solutions should incorporate the following features:• the ability to whitelist or blacklist PSDs;3(b) Endpoint security solutions should handle all types of PSD.
• to provide detailed logs of PSD access;
• the ability to control the type of access permitted to specific users or PSDs;
• and to enforce encryption on device connection.
3(c) When considering an endpoint security solution, organisations should ensure that data loss protection features are included. If not, they should augment with a specific data loss protection product.
4. ‘Thin Client’ Solution
4(a) The following features should be examined where ‘thin client’ solutions are being considered:• access to the clipboard should be disabled;4(b) Endpoint security should be considered in parallel with ‘thin client’ solutions to provide full protection
• local drive mapping should be disabled;
• local port mapping should be disabled; and
• there should be restrictions on locally attached printing.
5. Cloud Based Storage
5(a) Where organisations are proposing to use cloud based services, PSDs such as tablets should be included in Privacy Impact Assessments and other forms of risk assessment.
6. CenITex
6(a) CenITex and its clients should work together to implement PSD controls as a matter of priority.
6(b)CenITex should work with its clients to proactively raise standards at the earliest opportunity.