Home » Data Protection » Network Security

How To

Risk Assessment Tool: Application for Removable Device Media

An excerpt from the form that the City of London uses to decide whether or not to grant officers permission to download data onto portable media

April 22, 2008 —

Part 1: Risk Assessment Scoring

When officers at the City of London police wish to download information onto a portable media device, they must file a formal application to do so. This is the form decision-makers use to evaluate the risk with the proposed data download. (To read about how the police force uses the tool, see "How To Tell If That USB Download Is Really Worth the Security Risk.")

Area	Response	Score
Amount of information	Small <100kb Medium < 5Mb Large > 5Mb	35 40 50
Is the use of the device restricted to specific users?	Yes No	-5 10
Can transfers of information be audited?	Yes No	-10 10
Can the information be checked for malicious code?	Yes No	-10 20
What is the classification of the information involved?	Unclassified Restricted Confidential Secret	0 20 40 80
Can the information be easily accessed if the device/media is lost?	Yes No	20 -30
What are the consequences of losing the device/media?	None Embarrassing Endangers cases Endangers individuals	0 10 50 200
How easily can the information be transferred to other devices/media?	Easy Difficult Not possible	50 10 -50
Are there effective procedures in place that will reduce risk of misuse?	Yes No	00 50
Are there effective procedures in place that will reduce risk of accidental loss?	Yes No	00 50