Need a removable media policy for ISO 27001 or other information security frameworks? In this article you will be provided with a free removable media policy template and tips for writing your own information security policies.
Get started today—Download the FREE template and customize it to fit the needs of your organization.
“[Removable media is a] portable device that can be connected to an information system (IS), computer, or network to provide data storage. These devices interface with the IS through processing chips and may load driver software, presenting a greater security risk to the IS than non-device media, such as optical discs or flash memory cards. Portable Storage Devices also include memory cards that have additional functions aside from standard data storage and encrypted data storage, such as built-in Wi-Fi connectivity and global positioning system (GPS) reception.”– National Institute of Standards and Technology (NIST)
Removable media devices—also known as portable storage devices—consist of a variety of compact devices that can connect to another device to transmit data from one system to another.
The following are examples of removable media:
A removable media policy—also known as a USB device usage policy, portable storage device policy, or removable storage device policy— is a type of information security policy that dictates the acceptable use of portable storage devices such as USB flash drives, external hard drives, and tape drives.
These policies serve as a critical administrative security control for managing the risks of portable storage devices. They establish the security responsibilities of users, explain the importance of USB security, and provide guidelines for protecting sensitive data when using portable storage devices.
Removable media policies for ISO 27001 & other frameworks commonly include:
Managing the data security risks of removable media devices requires a combination of people, processes, and technology. A removable media policy serves as a critical administrative safeguard by informing users about their security responsibilities and the organization’s USB security processes.
ISO 27001 is a security framework provided by the International Organization for Standardization. As part of meeting ISO 27001 compliance organizations must implement an ISO 27001 removable media policy alongside critical security controls that mitigate the risk of USB device usage.
Without proper guidance and training regarding the acceptable use of removable media devices, users may be tempted to plug rogue USB devices into their computers.
For example, in an experiment conducted by the University of Illinois and the University of Michigan, USB flash drives were scattered across a large university campus resulting in a staggering 45-98% of the USBs being inserted into machines.
For a less theoretical example, there’s also the incident in 2020 where hackers used snail-mail to send a company an envelope with a malware-laced USB thumb drive.
A 2018 study from cybersecurity software company McAfee found that USB drives are the number one data exfiltration vector in European and Asia-Pacific countries.
When you think of it, this is of little surprise. Portable storage devices are, after all, portable. And thus easy to conceal and hard to detect.
These devices can store terabytes of data, making them capable of storing millions of database records, spreadsheets, and other proprietary information. So long as there’s an available port, data can be readily exfiltrated, leading to a serious data breach.
Employees and other insiders are the most prevalent data exfiltration threats here. They’re trusted with physical access to company systems, making data exfiltration attempts simple. All it takes is sneaking in a USB flash drive and transferring files from the network to the USB drives before they walk out of the office.
While a removable media policy cannot prevent data loss all on its own, it sets a norm for portable storage security processes. With this norm in place deviations can be more readily discovered and remediated before they become a serious risk.
Since portable storage devices are capable of storing and transmitting data, they are potential vectors for malware. The infamous Stuxnet computer worm, for example, was able to infect air-gapped computers in an Iranian uranium enrichment plant through infected USB flash drives.
Stuxnet has served as a unique case study for cybersecurity and national security researchers as it managed to cause tangible physical damage to the systems it infected. The worm infected over 200,000 computers and caused 1,000 machines to physically degrade.
In addition to the standard malware risks that could happen when you connect a portable storage device to a computer, there are several proof-of-concept malicious USB devices that have been created by cybersecurity researchers.
While not all of these devices are widely used in the wild, they demonstrate the destructive capabilities of seemingly innocuous USB devices.
The following are examples of malicious USB devices:
For more examples, check out this article.
Information security policies are a critical security control for protecting sensitive data and meeting compliance requirements. This table provides an overview of common security frameworks and the costs associated with non-compliance.
|Full Name||Description||Applies To||Greatest Cost of Non-Compliance (USD)|
|International Traffic in Arms Regulations (ITAR)||United States – Government regulation of defense-related exports and imports ITAR requires entities to implement measures to prevent the loss of ITAR-controlled data||All manufacturers, exporters, and brokers of defense-related imports and exports for the USA – including technical data||Civil fines of up to $500,000 per violation, criminal fines up to $1,000,000, 10 years imprisonment per violation, as well as bans from providing future exports.|
|The Federal Information Security Modernization Act of 2014 (FISMA)||United States – Cybersecurity framework for protecting sensitive information held by the federal government and related parties||Executive agencies within the US federal government||Loss of federal funding. A low FISMA grade indicates that you are at risk for a data breach|
|The Personal Data (Privacy) Ordinance (PDPO)||Asia (Hong Kong) – Principle-based data protection law for the use, collection, and handling of personal data.||Private and public sectors that process data in or from Hong Kong||A fine of up to ~$128,862 (HK$1,000,000) and imprisonment.|
|The General Data Protection Regulation (GDPR)||Europe – Principle-based data protection law for the use, collection, and handling of personal data.||Companies and other entities that process personal data of EU citizens, including website cookies and other marketing data||Discretionary fines of the greater of ~$22,096,200 (€20 million) or 4% of annual global turnover|
|The Health Insurance Portability and Accountability Act (HIPAA)||United States – National act for regulating the electronic transmission of health information||Health plans, healthcare clearinghouses, and healthcare providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards||Fines of up to $1.5 million per violation category per year|
Removable media policies (USB device usage policies) will reference several terms that may not be immediately known to the user. A glossary that includes the data classifications used by your company and a clear descriptor of what constitutes removable media will help ensure that the policy is easily understood.
The key benefit of these policies is how they communicate your organization’s information security procedures.
In your policy you should cover:
In security-conscious environments all users are required to sign out pre-approved portable storage devices. They will forbid the use of unauthorized USB devices and expect their users to be the sole user of their assigned portable storage device.
If your organization will be using these administrative security controls on-site, you should describe the signout process that your users will follow to be assigned authorized storage devices.
In addition to physical and administrative security controls, your removable media policy must address the classifications of data that are permitted on portable storage devices.
These detailed data handling procedures will help to ensure that sensitive information does not find its way onto an easily lost and unencrypted USB flash drive. The procedures will include requirements related to clearing, disposal, encryption, authentication, and data redundancy.
For example, storage devices that once held confidential data should be limited to storing confidential information and should not be re-released as a standard storage device. The reason for this is that file recovery methods could retrieve the sensitive information that was previously stored on the device.
As with any company policy, the effectiveness of your removable media policy is limited to how well it is enforced and communicated. This section will outline the core methods used to improve buy-in and adherence to company policies. For more information, you can read 5 Ways to Enforce Company Policies.
While information security policies are covering a technically complex subject, they need to be written in a way that your target audience will understand. Where possible ensure that any technical terms are accompanied by a glossary entry.
No truly important policies are simply signed and forgotten about. They need to be openly communicated to your workforce and made easily accessible so they can be referenced on an as-needed basis.
Ensure that your removable media policy is provided to new hires and ensure your current employees and other users are aware of what they’ve agreed to when they first signed the policy. Policy communication can be further enhanced with occasional refresher presentations and reviews of the policy between management and their teams.
Policy management software and similar information management tools are valuable resources for providing users with easy access to policies, particularly as revisions are released.
Having the policy in place sets an important precedent, but without a plan for corrective action there is little consequence for non-compliance. Violating removable media policies presents a significant information security risk that simply cannot be left unaddressed.
Depending on the severity of the offense, corrective actions can include the suspension of their access to technology resources, legal action, and/or dismissal. When implementing your policy ensure that everyone is aware of who will be responsible for enforcement and the actions they must take to correct non-compliance issues.
While the policy tackles the information security risks of portable storage from the administrative and procedural perspective, it cannot physically stop your end-users from using unauthorized USB devices.
To truly protect your organization against USB data security risks, you need removable media control software.
With these security tools you can block USB storage devices while allowing trusted devices to be used. These tools further protect sensitive data by monitoring and restricting file transfers to trusted devices. To reduce the administrative overhead these tools can alert designated employees to USB security threats rather than requiring manual review.
While the security of your data is paramount, that does not mean you should forgo consulting your employees – after all, they are the ones that are the most intimately familiar with what is needed for them to work effectively.
Collecting end-user feedback on your endpoint security and management framework provides you with the perfect opportunity to identify elements of your policy that may cause an unexpected productivity bottleneck. While not every piece of feedback can be acted on, you are likely to find opportunities where your proposed policy can be reasonably adjusted to better fit the workflow of your constituents.
In addition to communicating the policy itself, you should provide employees with removable media security awareness training. These training modules will help reinforce the importance of the policy and empower employees with the knowledge they need to use USB storage devices securely.
A policy that is written but not adequately communicated is not likely to effectively fulfill its purpose. Policy education is essential for anyone who is expected to use technology in your workplace as it ensures that your baseline of expectations is fully understood and that a precedent for enforcement is established.
The frequency with which you review your policy will depend on your security needs and the regulatory compliance frameworks you are subject to. For example, entities covered under HIPAA are expected to “review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.”
Each industry and organization will have its own unique set of data security requirements that will heavily inform their USB restriction policy. While the use of data security best practices will always be necessary to adequately protect data, the level of restrictions used as a safeguard will vary in intensity depending on the sensitivity of the data the organization handles and the associated level of risk.
While John’s exact role is top secret, we do know that he works in the field of Military Intelligence. Because John’s information governance and cybersecurity responsibilities are a matter of national security, he takes every precaution available to him to eliminate the potential for unauthorized data transfers and to mitigate cybersecurity threats.
Sam is the HIPAA Security Officer for her company. She uses USB activity monitoring and restriction to protect the sensitive personal health information (PHI) of patients as a technical safeguard for maintaining HIPAA compliance for her company.
Karen is a manager for an independent retail company that sells through an eCommerce platform. Karen’s payment processing is handled by a third party that maintains their own data security compliance, however, she collects personally identifiable information of customers when arranging shipment of her products. She wants to use USB activity monitoring to alert her to incidents of her staff attempting to perform illicit data transfers.
Chris started his design career as a freelancer. Over time his independent operation grew into a modest design agency with his own employees and contractors. To help make IT security easier to manage, he ensures that his creative staff members do not need or have access to any sensitive data for the work that they do. Chris primarily uses file operations monitoring reports to protect his company’s intellectual property (IP) by ensuring that only pre-approved renders for portfolios leave the office.
When developing your security policies, these are key considerations that will influence the measures that you implement, the users and/or devices that you restrict, and how you will best use monitoring data to inform your data security strategy. This section will use an endpoint security policy as an example.
The policies you develop will be heavily influenced by the assets that you manage. Each device has a unique risk level and accompanying management needs. It is critical that you understand the unique needs of each of these devices as they will influence the level of monitoring and restrictions implemented.
Users with access to sensitive data need to be closely monitored, particularly when their endpoints have integrated data transfer hardware such as USB ports, SD/MM card slots, CD drives, or Bluetooth.
Rogue USB devices including personal flash drives, mobile phones, and miscellaneous devices such as USB-powered fans are a potential attack vector. If your company has stringent data security requirements it is strongly advised that you restrict USB devices with software-enforced USB control policies.
Internet connectivity serves as a vital resource for managing distributed teams, sharing information, and connecting with customers. The internet also poses a remarkable cybersecurity vulnerability that needs to be managed appropriately.
The internet provides malware with a gateway to systems through methods such as phishing emails and “drive-by” downloads where a malicious website installs malware on the user’s computer without their knowledge. These internet-based attacks are best mitigated through the use of content filtering tools that allow for the blocking of dangerous websites, prevent the opening of suspicious files, and disable unauthorized computer programs.
IoT devices provide a unique level of risk thanks to a combination of their access to the network and a lack of robust security standards for IoT device manufacturers. A seemingly innocuous IoT sensor that helped a casino manage its aquarium became an entry point for a data breach that resulted in an information leak about the casino’s high-rollers.
IoT vulnerabilities are largely caused by surprisingly widespread practices such as hardcoded passwords, web interfaces without sufficient authentication measures such as multi-factor authentication (MFA), and an inability or lack of support to securely patch known security vulnerabilities.
Due to their unique risk, these devices need to be treated with an added layer of caution, particularly if the device or the manufacturer does not natively support adequate cybersecurity measures. Unless you can confidently confirm otherwise, it is best to assume IoT devices are high-risk and treat them appropriately, including placing them on an entirely separate network that does not have access to sensitive data (“air gapping” or network segmentation).
Mobile devices are popular among professionals that want to continue working while traveling. Unfortunately, the portability of mobile devices comes at the cost of reduced physical security and added network vulnerabilities. If your employees are potentially working from outside a secured building in favor of a local coffee shop, airport, or co-working space, they will require greater monitoring and restriction to address the added risk.
To mitigate the risks associated with mobile devices, you can make use of an enterprise-class Mobile Device Management (MDM) system. An MDM allows you to delete sensitive data remotely, track lost or stolen devices, and enforce MFA on mobile devices, among a suite of other important features for securing mobile endpoints.
Risk Factors for Mobile Devices:
While implementing the highest level of restriction possible will provide greater threat mitigation, a policy that is far more restrictive than necessary for the corresponding risk level will create unnecessary productivity and usability bottlenecks. The bottlenecks caused by an overzealous security policy will needlessly frustrate users, leading to a greater risk of non-compliance with your organization’s policies.
When determining the level of restrictions required for your security policies it is important to tailor the degree of restriction based on the associated risk level. Security risks care typically broken down into three key categories: Low Risk, Moderate Risk, and High Risk.
The risk category for a given endpoint is classified based on the severity of the impact should the device be compromised as well as the likelihood that such an event will occur. It is important to note that while moderate and high-risk assets should be prioritized, even low-risk endpoints must meet minimum security standards to prevent them from becoming a vulnerability due to mismanagement.
An endpoint device that is seemingly low in risk can actually belong to the high-risk category if it has access to a shared network that could be used as an entry point for a hacker performing a cyberattack.
The below risk factors will serve as a baseline for evaluating the risk level of your endpoints. These risk factors can be more or less risky than outlined below depending on how they interact with other risk factors.
A publicly accessible endpoint has lower physical security and is thus potentially a high-risk device, however, if it has no access to sensitive data (ex. a public-facing digital map kiosk that is unable to connect to higher-risk systems) it could be considered low-risk.
|Lower Risk||Moderate Risk||High Risk|
|Device Accessibility||Trusted, Monitored & Managed Employees||Trusted, Monitored & Managed Guests||General Public|
|Hardware & Software||Whitelisted/authorized devices||Wireless internet (Wi-Fi)|
Internet-of-Things (IoT) devices
|Unpatched and legacy systems2|
Unmanaged USB devices and ports
|Data Sensitivity||Publicly available data or data that is intended to be openly available without restriction||Unpublished, unclassified, and otherwise non-sensitive internal documents such as meeting minutes||Devices that are connected to a network with access to data that is expected to be compliant with data security requirements such as HIPAA, GDPR, FERPA, FISMA, ITAR, PCI-DSS, etc|
|Level of Importance||Devices that are connected to systems that provide non-critical services, such as a digital map kiosk for patrons in a mall||Devices that are connected to systems that provide an important service, such as employee workstations that are used to perform day-to-day duties||Devices that are connected to systems that provide a critical service such as IoT-connected power systems|
Devices that are connected to systems that would
|Difficulty of Recovery||The connected system is easily recovered with minimal to no disruption to operations||The connected system is able to be recovered with moderate disruption to operations||The endpoint is connected to systems that are difficult to recover or recovery will cause a major disruption to operations|
1 Shadow IT: Unapproved software/hardware that is not managed by the corporate IT security team.
2 Legacy systems: Systems that rely on outdated hardware and software that is no longer receiving critical security updates from their manufacturer(s) or the organization.
Supporting elements of security policies such as defining the acceptable use of devices are critical for further enforcing endpoint monitoring and restriction practices as they provide the baseline for what will be considered suspicious activity in the context of your organization. With a well-established set of expectations, you can properly address behaviors that put the integrity of data security at risk.
Well-defined and communicated written policies and guidelines provide a necessary structure for communicating your expectations of how endpoint device management and information governance is to be carried out by employees and other users in your company. While templates can serve as a structure for understanding the core principles, you cannot afford to forgo mindfully considering the elements that are important for your company’s data security needs.
Auditing the data and alerts provided by endpoint monitoring software is an integral component of maintaining endpoint security as it provides you and your security team with valuable insights into the activities carried out on endpoints within your network.
The insights from these reports can be used to identify non-compliant users using endpoint devices in an insecure manner, collect evidence of illicit file transfer attempts, and monitor the peripheral devices used within your company.
Information security policies are critical administrative safeguards for protecting sensitive data. By taking a proactive approach to data security your company will be better positioned to use data safely, make advantageous partnerships, and protect the integrity of your operations.
Removable media policies, for example, are key for mitigating the threats of portable storage devices such as mobile phones, USB flash drives, and portable hard drives. By combining these policies with USB control software you can take advantage of the convenience of portable storage while mitigating the associated risks.