Some of the most sensitive digital data in London resides on the servers of the City of London Police - and a great deal of effort goes into making sure that it isn't downloaded onto portable devices and then lost or stolen.

Some of the precautions are technical, says Gary Brailsford, CIO and head of information management at the City of London Police, which is tasked with policing London's financial district, the so-called "Square Mile". (The Metropolitan police force handles the general policing of London.) Officers' desktop computers, for example, are configured so that data must be stored on secure, centrally-managed network drives, rather than local C: drives. The use of e-mail for file sharing is actively discouraged, and is monitored. Software from security vendor DeviceLock prevents data being downloaded onto floppy drives or USB "thumb" drives. And when it is necessary to use portable media - for instance, so that data can be shared with external agencies such as the Crown Prosecution Service and the Serious Fraud Office - the department has a preferred device: MXI Security's Stealth MXP biometric USB drive.

Rather than just leaving it up to officers to decide when they can use the biometric USB drive, however, the department has created a detailed risk-assessment policy - one that not only establishes a framework for making decisions, but also allows officers insight into the process.

Here's how it works. Before an officer can download any data onto removable media, he or she must file a formal application to do so, and explain what information is involved, how sensitive it is, its security classification, why downloading is required, what steps will be taken to protect it, and what the consequences of loss might be.

Based on the answers, officers themselves can then apply two scoring methodologies used by decision makers - one for risks involved in sharing the data, the other for benefits accruing. In doing so, they can see the likelihood of their request being granted, and at what security level the decision will be made. This part of the form isn't mandatory, explains Brailsford, but is included for informational purposes and to demonstrate transparency into the process.

Completed applications that show excessive risk without the necessary benefit are turned down, Brailsford says. Alternatively, officers requesting permission to, say, download data onto CD-ROMs might be directed to use more secure means, such as the biometric USB device. As a final backstop, the downloading of information with the very highest security classifications is simply prohibited.

"The intention is to encourage the officer to make a judgment call about the desirability of downloading the data in question," Brailsford says. "It's not about blindly asking permission, and filling in the questions. Officers need to think about the fuller implications of what they are asking for, and weighing the risks and the benefits."

Click here to see an excerpt from the risk assessment, including the scoring mechanism.