Data protection is a three-part strategy for City of London Police

Safeguarding against the unauthorised copying and transmission of data using mobile devices is a high priority for the City of London Police.

Safeguarding against the unauthorised copying and transmission of data using mobile devices is a high priority for the City of London Police.

But technology is only one part of the strategy to keep data safe, says Gary Brailsford-Hart, the force's chief information officer.

Effective data protection comes from a combination of good technology, governance procedures and behaviour of IT users in an organisation, he told Computer Weekly.

"The steps taken to influence and manage user behaviour are as important as the technology in an effective security strategy," he said.

The technology component for endpoint security at City of London Police is provided by specialist software from security firm DeviceLock.

The only other technology used specifically for endpoint security is a LogCaster log management appliance from NitroSecurity.

"Experience has taught us that simplicity is the key to successful endpoint security," said Brailsford-Hart.

The DeviceLock software logs all data transfers to and from portable devices such as USB sticks, while LogCaster generates alerts to any potential risks, he explained.

These endpoint security systems are used with other systems to monitor all e-mail and web transactions to ensure all potential data leakage points are covered.

Although technology is very light-touch, it is used in conjunction with robust processes for issuing and managing devices that have evolved over the past six years.

The processes ensure police are issued with hardware encrypted, FIPS-2 compliant USB devices only if they meet a required score using an in-house risk-benefit analysis system.

"This process is transparent to ensure all users understand what the risks are and can see that all decisions are based on rules," said Brailsford-Hart.

All force members are required to agree to the strict conditions of use before accepting any USB device.

"We measure success by the fact that we have enabled the business to do what it needs to do, but in a secure way without any data breaches," said Brailsford-Hart.

But he acknowledges that no organisation could say with 100% certainty that it would never experience a data breach.

"The combination of processes and technologies we have in place means we are managing the risk as well as possible and can satisfy any audit that we have taken reasonable steps to safeguard our data," he said.

Brailsford-Hart ascribes the force's good data protection record in part to the fact that no portable storage was allowed before mitigation measures were introduced.

"At no point have we been exposed to anyone plugging in unauthorised devices," he said. "By having the technologies and processes in place from the start, we have not had to face the challenge of trying to put the genie back in the bottle."

City of London Police was fortunate that security is inherently part of the organisation's culture, said Brailsford-Hart, but this was backed up by regular information bulletins.

"Our compliance team regularly updates our 1,200 users on the latest threats, what to look out for, and how they can do what they need to do in a secure way," he said.

Force members also receive regular briefings from the organisation's information security officer so they understand the risks and the reasons behind all security policies.

"Talking to the business is important so that no one feels as if security rules are being imposed on them, but that they are undertaking to work in a certain way for the common good," said Brailsford-Hart.

He will detail how the City of London Police maintains the security of its corporate endpoints and protects its information on the second day of Infosecurity Europe 2010 at Earl's Court in London from 27 to 29 April.

Read more on IT risk management