Background
The Scottish public sector, generally, has high standards when dealing with sensitive data, however more could, and should be done. The need to minimise the risk of data loss through the use of removable media, in particular USB memory keys, has been recognised. As technology has developed these devices have become a very common method for carrying information on the move.
Procurement Scotland have secured the supply of government approved encrypted memory sticks which are safe to carry data, up to and including, RESTRICTED level.
With increasing capacity and compact size comes the concern over security of data in transit. There is particular concern over the ease in which USB flash memory devices can be attached to network connected PCs or Laptops. There are however, ways in which the risk can be controlled when using USB flash memory devices.
AES Lock encrypted USB keys
The SDMS devices being offered by the Procurement Scotland IT Hardware Portfolio, as part of the Office Supplies Catalogue, can control these risks by the following means:
Internal Settings: Connectivity control software can be used to restrict the "brand" of flash memory that can be connected to your system. Using bespoke software SDMS can set the flash memory to be specific to your organisation or project. This, in conjunction with the connectivity control software, will enable you to lock out unauthorised devices. A range can be agreed with SDMS.
Accountability: SDMS Ltd can print organisation information directly onto the body of the flash memory device. This can identify the organisation, security classification, project etc. Most importantly SDMS can print, clearly, an individual serial number that can be used to control the allocation of specific devices to authorised users. The pricing offered does not incorporate a logo onto the key.
Protection: The possibility of sensitive data falling into the wrong hands as a result of theft or carelessness can be controlled. AES LOCK Encrypted USB Keys utilise a "Lock Tool" that enforces a password of considerable length and complexity.
Secure erase: Simply by deleting the file name from the device "index" the file will appear to be erased. This is the method employed by many commercially available erase or format utilities. By entering an incorrect password regime a low number of times the data on the stick is erased through re-formatting, the existing 256 bit encryption key is erased and a new 256 bit encryption key is generated within the device. This is non-recoverable.
AES Lock Encrypted USB Keys have been approved by a UK Government Department for use with the transportation of data up to and including IL3 (Restricted).
In the event of a lost password there is no admin facility to recover the password or the data if the user does not have administrative rights on their particular system or they are not operating on a Microsoft Vista platform. This enhances the protection level but does place the onus on the user to manage the device and their data.
It is important to remember that the AES devices (as with any other form or removable media) should be treated as a method for transporting data and not long term storage. As always you are strongly advised to make regular backup copies of your data in other secure places.
Note: Encryption does not affect the sensitivity of the data. The device should still be handled, stored and protected as per the sensitivity of the unencrypted data.
These items are available via the Office Supplies catalogue. If you require any information regarding these devices, please contact Lee Rutherford.
Pricing and information can also be obtained from our secure stakeholder site . To gain access please contact Lorraine Hook or Jim Thomson.