It's really not that hard...
1) Encrypt ALL sensitive data. Even if every-one involved gets the same password. (True-crypt). Even a bored plod at a seminar can probably remember that. Make the password "doughnut" or "accidental death in police custody", or "tourist". You get the picture...
2) Disable USB in password protected BIOS
3) Hot Glue / super-glue shut all USB ports just to make sure. Takes, at most, 5 minutes, on an unplugged box
4) Remove or don't order CD / DVD write capable devices. A DVD reader for those who REALLY NEED them. PC Plod doesn't need external data, it's ALL on the network FFS.
5) Carry on executing electricians, ejecting pensioners, harassing photographers, etc. Ad nausea, and WE will probably never find out.
Cheques to the usual address please.
Oh, and put one of these penguins on your pooters!
In fact, WTF don't the UK.gov just fork their own branch of Red-Hat or Debian / Umbongo and sort out the whole governmental IT landscape. You know, like those "backward" Latin American electrician training types seem to have managed.....
That's another £45 million consultancy in the bag! kthnxbye XXX