ICT in the Youth Justice System
Advice on protecting mobile data
Following recent well-publicised reports of central Government data loss in the press, Government employees are now prohibited from carrying any personal information in an unencrypted form on a mobile device. This includes devices such as laptops, USB data sticks, Blackberry phones and PDAs.
Although the scope of this mandate is limited to central Government offices only and while we are not responsible for data assurance in either local or central government, we are sure other youth justice organisations will want to take similar steps to protect themselves from potential reputational risk.
This page provides some core information partner agencies may find useful when looking at mobile data protection for the first time and which we learnt while ensuring our own compliance.
Resources
Central Government complies with certain standards as laid out by CESG, the unit responsible for their data assurance. Click to access useful information from the CESG website [opens in new window], including recommended CAPS-approved encryption packages and technology.
The Centre for the Protection of National Infrastructure website [opens in new window] lists a number of technology primers and details best practice for implementing all forms of security including policy development and physical security.
Guidance on suitable standards will vary depending on the level of risk attached to the data that needs protection. However, in most cases a FIPS compliant package or device will be sufficient. The FIPS standard is a US-defined one but is recognised by CESG and UK Government. Click to visit the FIPS website [opens in new window], which defines standards for all areas of IT. The specific standards concerning the encryption mechanism are detailed in FIPS 140-2.
There are a large number of packages available off the shelf that will help you comply with central government standards and practices. We have recently undertaken evaluations of a number of them and so can offer some pointers on ease of management and recovery.
What we learnt
We found that the way that packages are managed and deployed was of critical importance, mainly because the devices being deployed on to would be used remotely. Packages that incorporated granular control through removable devices such as USB sticks and drives scored highly as this provided a single control interface for all encryption process and standards. We also found it beneficial for integration within existing infrastructure like MS Active Directory or Novel NDS, both for ease of management and to lessen the learning curve.
When dealing with a lost security key or fob, a user would prefer the recovery process to be as painless as possible. Some recovery processes took a long and convoluted path to completion and required the user to type in a 65 digit alphanumeric code read out to them over the phone by a support analyst. The room for error was too great to rely on and so the more workable solutions became more attractive.
A lot of thought needs to be given to the number of factors you use to identify your users both to the helpdesk and to the computer. A positive identification is imperative to successful implementation and the more factors involved can mean a more secure system, but at the expense of usability. The old adage of “you can have an easy to use system or a secure system but not at the same time” is very true.
Two-factor authentication is typically the one chosen for a balance between usability and security. Solutions are available that are secured with just a password, or that use three or more factors (typically a security key or fob, password, pin or biometric information).
Note that the above information is a guide and does not recommend any particular product or strategy. The resources listed above are not exhaustive but were found to be useful when we looked into solutions to the security problems posed by mobile data.