Need a removable media policy for ISO 27001 or other information security frameworks? In this article you will be provided with a free removable media policy template and tips for writing your own information security policies.
- Set data security standards for portable storage
- Define the acceptable use of removable media
- Inform your users about their security responsibilities
Get started today—Download the FREE template and customize it to fit the needs of your organization.
- What Are Removable Media Devices?
- What Is a Removable Media Policy?
- Why You Need a Removable Media Policy
- What to Include in Your Removable Media Policy
- How to Enforce & Implement Your Removable Media Policy
- Removable Media Policy Template
- USB Security Policy Examples
- 4 Critical Considerations for an Information Security Policy
What Are Removable Media Devices?
“[Removable media is a] portable device that can be connected to an information system (IS), computer, or network to provide data storage. These devices interface with the IS through processing chips and may load driver software, presenting a greater security risk to the IS than non-device media, such as optical discs or flash memory cards. Portable Storage Devices also include memory cards that have additional functions aside from standard data storage and encrypted data storage, such as built-in Wi-Fi connectivity and global positioning system (GPS) reception.”– National Institute of Standards and Technology (NIST)
Removable media devices—also known as portable storage devices—consist of a variety of compact devices that can connect to another device to transmit data from one system to another.
The following are examples of removable media:
- USB portable storage devices (“Jump Drive”, “Data Stick”, “Thumb Drive”, “Flash Drive”, etc)
- SDHC, SDXC & SD cards
- External hard drives and external solid-state drives
- R/W Compact Disk or DVD media
- Mobile devices such as tablets, smart devices, cameras, and portable media that support a data storage function such as player-type devices with internal flash or hard drive-based memory.
- eSATA (External Serial Advanced Technology Attachment) devices
- Floppy disks
What Is a Removable Media Policy?
A removable media policy—also known as a USB device usage policy, portable storage device policy, or removable storage device policy— is a type of information security policy that dictates the acceptable use of portable storage devices such as USB flash drives, external hard drives, and tape drives.
These policies serve as a critical administrative security control for managing the risks of portable storage devices. They establish the security responsibilities of users, explain the importance of USB security, and provide guidelines for protecting sensitive data when using portable storage devices.
Removable media policies for ISO 27001 & other frameworks commonly include:
- Security requirements for removable media devices
- The company’s stance on the use of personal storage devices and using company-provided storage devices for personal use
- Administrative requirements for obtaining and returning authorized portable storage devices
- Policies and procedures for managing third-party storage devices
- Responsible use expectations for users
- Data handling procedures for removable storage
Why You Need a Removable Media Policy
Managing the data security risks of removable media devices requires a combination of people, processes, and technology. A removable media policy serves as a critical administrative safeguard by informing users about their security responsibilities and the organization’s USB security processes.
ISO 27001 Compliance
ISO 27001 is a security framework provided by the International Organization for Standardization. As part of meeting ISO 27001 compliance organizations must implement an ISO 27001 removable media policy alongside critical security controls that mitigate the risk of USB device usage.
Cyber Security Threats Against Removable Media
Without proper guidance and training regarding the acceptable use of removable media devices, users may be tempted to plug rogue USB devices into their computers.
For example, in an experiment conducted by the University of Illinois and the University of Michigan, USB flash drives were scattered across a large university campus resulting in a staggering 45-98% of the USBs being inserted into machines.
For a less theoretical example, there’s also the incident in 2020 where hackers used snail-mail to send a company an envelope with a malware-laced USB thumb drive.
Insider Data Theft
A 2018 study from cybersecurity software company McAfee found that USB drives are the number one data exfiltration vector in European and Asia-Pacific countries.
When you think of it, this is of little surprise. Portable storage devices are, after all, portable. And thus easy to conceal and hard to detect.
These devices can store terabytes of data, making them capable of storing millions of database records, spreadsheets, and other proprietary information. So long as there’s an available port, data can be readily exfiltrated, leading to a serious data breach.
Employees and other insiders are the most prevalent data exfiltration threats here. They’re trusted with physical access to company systems, making data exfiltration attempts simple. All it takes is sneaking in a USB flash drive and transferring files from the network to the USB drives before they walk out of the office.
While a removable media policy cannot prevent data loss all on its own, it sets a norm for portable storage security processes. With this norm in place deviations can be more readily discovered and remediated before they become a serious risk.
Risk of Malware Infection
Since portable storage devices are capable of storing and transmitting data, they are potential vectors for malware. The infamous Stuxnet computer worm, for example, was able to infect air-gapped computers in an Iranian uranium enrichment plant through infected USB flash drives.
Stuxnet has served as a unique case study for cybersecurity and national security researchers as it managed to cause tangible physical damage to the systems it infected. The worm infected over 200,000 computers and caused 1,000 machines to physically degrade.
Bad USB Attacks
In addition to the standard malware risks that could happen when you connect a portable storage device to a computer, there are several proof-of-concept malicious USB devices that have been created by cybersecurity researchers.
While not all of these devices are widely used in the wild, they demonstrate the destructive capabilities of seemingly innocuous USB devices.
The following are examples of malicious USB devices:
- Rubber Ducky: A USB device that poses as a human interface device (HID) to inject a preloaded keystroke sequence. This sequence allows threat actors to initiate a malicious sequence at superhuman speeds.
- USBKill: A USB device that is used to physically stress test USB hardware. When plugged in the USBKill takes power from the USB port, multiplies it, and discharges it into the data lines, which typically disables an unprotected device.
- USB Thief: A sophisticated USB malware that steals data from infected systems. Each instance of the trojan relies on the USB device on which it is installed, leaving no evidence of compromise on the infected system.
For more examples, check out this article.
The High Cost of Non-Compliance at a Glance
Information security policies are a critical security control for protecting sensitive data and meeting compliance requirements. This table provides an overview of common security frameworks and the costs associated with non-compliance.
|Full Name||Description||Applies To||Greatest Cost of Non-Compliance (USD)|
|International Traffic in Arms Regulations (ITAR)||United States – Government regulation of defense-related exports and imports ITAR requires entities to implement measures to prevent the loss of ITAR-controlled data||All manufacturers, exporters, and brokers of defense-related imports and exports for the USA – including technical data||Civil fines of up to $500,000 per violation, criminal fines up to $1,000,000, 10 years imprisonment per violation, as well as bans from providing future exports.|
|The Federal Information Security Modernization Act of 2014 (FISMA)||United States – Cybersecurity framework for protecting sensitive information held by the federal government and related parties||Executive agencies within the US federal government||Loss of federal funding. A low FISMA grade indicates that you are at risk for a data breach|
|The Personal Data (Privacy) Ordinance (PDPO)||Asia (Hong Kong) – Principle-based data protection law for the use, collection, and handling of personal data.||Private and public sectors that process data in or from Hong Kong||A fine of up to ~$128,862 (HK$1,000,000) and imprisonment.|
|The General Data Protection Regulation (GDPR)||Europe – Principle-based data protection law for the use, collection, and handling of personal data.||Companies and other entities that process personal data of EU citizens, including website cookies and other marketing data||Discretionary fines of the greater of ~$22,096,200 (€20 million) or 4% of annual global turnover|
|The Health Insurance Portability and Accountability Act (HIPAA)||United States – National act for regulating the electronic transmission of health information||Health plans, healthcare clearinghouses, and healthcare providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards||Fines of up to $1.5 million per violation category per year|
What to Include in Your Removable Media Policy
Removable media policies (USB device usage policies) will reference several terms that may not be immediately known to the user. A glossary that includes the data classifications used by your company and a clear descriptor of what constitutes removable media will help ensure that the policy is easily understood.
Security Requirements for Removable Media Devices
The key benefit of these policies is how they communicate your organization’s information security procedures.
In your policy you should cover:
- The organization’s stance on the use of personal storage devices and using company-provided storage devices for personal use
- What classes of devices are permitted
- The available alternatives to removable media
- End-user security responsibilities such as the minimum physical safeguards, who is permitted to use assigned devices, etc
- Any complimentary security measures, such as the use of a sandbox environment for testing third-party USB devices before they can be used on networked computers
Administrative Requirements for Obtaining and Returning Authorized Portable Storage Devices
In security-conscious environments all users are required to sign out pre-approved portable storage devices. They will forbid the use of unauthorized USB devices and expect their users to be the sole user of their assigned portable storage device.
If your organization will be using these administrative security controls on-site, you should describe the signout process that your users will follow to be assigned authorized storage devices.
Data Handling Procedures for Removable Storage
In addition to physical and administrative security controls, your removable media policy must address the classifications of data that are permitted on portable storage devices.
These detailed data handling procedures will help to ensure that sensitive information does not find its way onto an easily lost and unencrypted USB flash drive. The procedures will include requirements related to clearing, disposal, encryption, authentication, and data redundancy.
For example, storage devices that once held confidential data should be limited to storing confidential information and should not be re-released as a standard storage device. The reason for this is that file recovery methods could retrieve the sensitive information that was previously stored on the device.
How to Enforce & Implement Your Removable Media Policy
As with any company policy, the effectiveness of your removable media policy is limited to how well it is enforced and communicated. This section will outline the core methods used to improve buy-in and adherence to company policies. For more information, you can read 5 Ways to Enforce Company Policies.
1) Ensure Your Policies Are Understandable
While information security policies are covering a technically complex subject, they need to be written in a way that your target audience will understand. Where possible ensure that any technical terms are accompanied by a glossary entry.
- Keep sentences and paragraphs short
- Use lists frequently to break information down into easily digestible chunks
- Use headers to separate key sections
2) Communicate Your Policy & Make it Accessible
No truly important policies are simply signed and forgotten about. They need to be openly communicated to your workforce and made easily accessible so they can be referenced on an as-needed basis.
Ensure that your removable media policy is provided to new hires and ensure your current employees and other users are aware of what they’ve agreed to when they first signed the policy. Policy communication can be further enhanced with occasional refresher presentations and reviews of the policy between management and their teams.
Policy management software and similar information management tools are valuable resources for providing users with easy access to policies, particularly as revisions are released.
3) Have a Plan for Correcting Usage Issues
Having the policy in place sets an important precedent, but without a plan for corrective action there is little consequence for non-compliance. Violating removable media policies presents a significant information security risk that simply cannot be left unaddressed.
Depending on the severity of the offense, corrective actions can include the suspension of their access to technology resources, legal action, and/or dismissal. When implementing your policy ensure that everyone is aware of who will be responsible for enforcement and the actions they must take to correct non-compliance issues.
Tips for Policy Enforcement
- Assign a designated member of staff that is responsible for policy enforcement. When they are alerted to suspicious endpoint activity they must investigate it in a timely manner.
- Ensure that all supervisors, managers, and other influencers in your company are leading by example. Your employees cannot be expected to take data security seriously if those above them are not held to the same standard.
- Pre-determine the enforcement procedures that you will perform based on the severity of the actions taken and any other factors that are relevant to your company. Depending on the severity of the non-compliance this could take the form of re-educating users on their expectations and responsibilities or a critical warning that sets a precedent for dismissal.
4) Removable Media Control Software
While the policy tackles the information security risks of portable storage from the administrative and procedural perspective, it cannot physically stop your end-users from using unauthorized USB devices.
To truly protect your organization against USB data security risks, you need removable media control software.
With these security tools you can block USB storage devices while allowing trusted devices to be used. These tools further protect sensitive data by monitoring and restricting file transfers to trusted devices. To reduce the administrative overhead these tools can alert designated employees to USB security threats rather than requiring manual review.
5) Collect Employee Feedback
While the security of your data is paramount, that does not mean you should forgo consulting your employees – after all, they are the ones that are the most intimately familiar with what is needed for them to work effectively.
Collecting end-user feedback on your endpoint security and management framework provides you with the perfect opportunity to identify elements of your policy that may cause an unexpected productivity bottleneck. While not every piece of feedback can be acted on, you are likely to find opportunities where your proposed policy can be reasonably adjusted to better fit the workflow of your constituents.
6) Educate Your Users
In addition to communicating the policy itself, you should provide employees with removable media security awareness training. These training modules will help reinforce the importance of the policy and empower employees with the knowledge they need to use USB storage devices securely.
A policy that is written but not adequately communicated is not likely to effectively fulfill its purpose. Policy education is essential for anyone who is expected to use technology in your workplace as it ensures that your baseline of expectations is fully understood and that a precedent for enforcement is established.
- Use multiple communication channels to disseminate your policy (email, bulletin boards, direct coaching, team meetings, etc).
- Ensure that your policy is readily accessible for anyone that needs to refer to it. The policy can be provided on your company’s intranet or within an employee manual.
- Regularly review your policy with your users to mitigate against non-compliance caused by forgetting the policy’s mandates.
- Periodically test the policy awareness and knowledge of your employees to ensure they understand their endpoint security responsibilities.
7) Review Your Policy Regularly
The frequency with which you review your policy will depend on your security needs and the regulatory compliance frameworks you are subject to. For example, entities covered under HIPAA are expected to “review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.”
When to Review Your Policy
- At a predetermined frequency (at least 1-2x annually)
- After amendments to expectations are made by external regulatory bodies
- When unique threats to data security are identified
- Following a data breach within your company
- After the introduction of a new law that may affect your company (GDPR, CCPA, etc)
- When new technology is introduced to your company
How to Review Your Policy
- Determine the members that will take on the role of Information Security Officer or a similar position. Your designated security personnel will be responsible for ensuring that policies are reviewed appropriately, along with the other key responsibilities as outlined by your organization’s unique regulatory standards.
- Perform a risk analysis to identify areas of your policy that may no longer be relevant or that otherwise need updating to best reflect your current security needs.
- Collect and review policy feedback from key stakeholders to better identify areas of the policy that need to be amended to improve clarity, relevance, or effectiveness.
Removable Media Policy Template
USB Security Policy Examples
Each industry and organization will have its own unique set of data security requirements that will heavily inform their USB restriction policy. While the use of data security best practices will always be necessary to adequately protect data, the level of restrictions used as a safeguard will vary in intensity depending on the sensitivity of the data the organization handles and the associated level of risk.
Example 1 – John, Military Intelligence
While John’s exact role is top secret, we do know that he works in the field of Military Intelligence. Because John’s information governance and cybersecurity responsibilities are a matter of national security, he takes every precaution available to him to eliminate the potential for unauthorized data transfers and to mitigate cybersecurity threats.
John’s USB Security Policy
- All USB devices have been blocked from use on the endpoints he is in charge of protecting.
- His policies are further enforced by physically banning USB devices from the premises – if John discovers a USB device he treats it as a highly suspicious threat.
- Projects that require data transfers must be approved, monitored, and managed by the security team
- Any attempts to bypass USB permissions will send alerts to his security personnel for immediate investigation.
Example 2 – Sam, HIPAA Security Officer
Sam is the HIPAA Security Officer for her company. She uses USB activity monitoring and restriction to protect the sensitive personal health information (PHI) of patients as a technical safeguard for maintaining HIPAA compliance for her company.
Sam’s USB Security Policy
- Only company-provided encrypted USB devices are allowed to be used for transmitting data. Attempts to use personal USB devices are blocked by her endpoint security software and an email alert is sent to her security team for review.
- USB devices must be signed in and out daily and only used internally. Her staff are never permitted to bring their USB devices outside of the building.
- Reports on all file operations & devices connected to endpoints are reviewed by Sam on a daily basis. She uses endpoint activity monitoring to ensure that system activity can be traced to a specific user in the event that a data breach is discovered.
- Attempts to bypass software-enforced endpoint restrictions are blocked, logged, & reported to Sam’s security team for review
Example 3 – Karen, Retail Manager
Karen is a manager for an independent retail company that sells through an eCommerce platform. Karen’s payment processing is handled by a third party that maintains their own data security compliance, however, she collects personally identifiable information of customers when arranging shipment of her products. She wants to use USB activity monitoring to alert her to incidents of her staff attempting to perform illicit data transfers.
Karen’s USB Security Policy
- Unknown USB devices are blocked from transmitting data by default but are later allowed once scanned for viruses
- Data transfers from unknown USB devices are blocked
- The USB ports on her computers are configured to still allow for the charging of phones and other USB devices.
- Karen reviews her endpoint activity reports weekly to check for suspicious file operations & strange endpoint activity
Example 4 – Chris, Design Agency CEO
Chris started his design career as a freelancer. Over time his independent operation grew into a modest design agency with his own employees and contractors. To help make IT security easier to manage, he ensures that his creative staff members do not need or have access to any sensitive data for the work that they do. Chris primarily uses file operations monitoring reports to protect his company’s intellectual property (IP) by ensuring that only pre-approved renders for portfolios leave the office.
Chris’ USB Security Policy
- All USB devices are allowed by default
- Chris is immediately alerted with an email when attempts to transfer specific IP-related file extensions are detected
- To protect company and customer financial data, if anyone in his Finance department tries to transfer files to a USB device they are blocked and Chris is alerted
4 Critical Considerations for an Information Security Policy
When developing your security policies, these are key considerations that will influence the measures that you implement, the users and/or devices that you restrict, and how you will best use monitoring data to inform your data security strategy. This section will use an endpoint security policy as an example.
1) Define the Assets That You Need to Protect
The policies you develop will be heavily influenced by the assets that you manage. Each device has a unique risk level and accompanying management needs. It is critical that you understand the unique needs of each of these devices as they will influence the level of monitoring and restrictions implemented.
USB Device Security
Users with access to sensitive data need to be closely monitored, particularly when their endpoints have integrated data transfer hardware such as USB ports, SD/MM card slots, CD drives, or Bluetooth.
Rogue USB devices including personal flash drives, mobile phones, and miscellaneous devices such as USB-powered fans are a potential attack vector. If your company has stringent data security requirements it is strongly advised that you restrict USB devices with software-enforced USB control policies.
Internet-Connected Hardware, Networking Devices, & Applications
Internet connectivity serves as a vital resource for managing distributed teams, sharing information, and connecting with customers. The internet also poses a remarkable cybersecurity vulnerability that needs to be managed appropriately.
The internet provides malware with a gateway to systems through methods such as phishing emails and “drive-by” downloads where a malicious website installs malware on the user’s computer without their knowledge. These internet-based attacks are best mitigated through the use of content filtering tools that allow for the blocking of dangerous websites, prevent the opening of suspicious files, and disable unauthorized computer programs.
Internet-of-Things (IoT) Devices
IoT devices provide a unique level of risk thanks to a combination of their access to the network and a lack of robust security standards for IoT device manufacturers. A seemingly innocuous IoT sensor that helped a casino manage its aquarium became an entry point for a data breach that resulted in an information leak about the casino’s high-rollers.
IoT vulnerabilities are largely caused by surprisingly widespread practices such as hardcoded passwords, web interfaces without sufficient authentication measures such as multi-factor authentication (MFA), and an inability or lack of support to securely patch known security vulnerabilities.
Due to their unique risk, these devices need to be treated with an added layer of caution, particularly if the device or the manufacturer does not natively support adequate cybersecurity measures. Unless you can confidently confirm otherwise, it is best to assume IoT devices are high-risk and treat them appropriately, including placing them on an entirely separate network that does not have access to sensitive data (“air gapping” or network segmentation).
Mobile Device Management
Mobile devices are popular among professionals that want to continue working while traveling. Unfortunately, the portability of mobile devices comes at the cost of reduced physical security and added network vulnerabilities. If your employees are potentially working from outside a secured building in favor of a local coffee shop, airport, or co-working space, they will require greater monitoring and restriction to address the added risk.
To mitigate the risks associated with mobile devices, you can make use of an enterprise-class Mobile Device Management (MDM) system. An MDM allows you to delete sensitive data remotely, track lost or stolen devices, and enforce MFA on mobile devices, among a suite of other important features for securing mobile endpoints.
Risk Factors for Mobile Devices:
- Insecure Wi-Fi networks (Public Wi-Fi, fake Wi-Fi hotspots set by attackers)
- Data security vulnerabilities caused by attacks that use Bluetooth
- Reduced physical security: Increased opportunities for theft or loss
- Visual eavesdropping when working in public spaces
- Juice Jacking: Compromised public USB charging ports that install malware onto mobile devices
2) Determine the Level of Restrictions Required
While implementing the highest level of restriction possible will provide greater threat mitigation, a policy that is far more restrictive than necessary for the corresponding risk level will create unnecessary productivity and usability bottlenecks. The bottlenecks caused by an overzealous security policy will needlessly frustrate users, leading to a greater risk of non-compliance with your organization’s policies.
When determining the level of restrictions required for your security policies it is important to tailor the degree of restriction based on the associated risk level. Security risks care typically broken down into three key categories: Low Risk, Moderate Risk, and High Risk.
The risk category for a given endpoint is classified based on the severity of the impact should the device be compromised as well as the likelihood that such an event will occur. It is important to note that while moderate and high-risk assets should be prioritized, even low-risk endpoints must meet minimum security standards to prevent them from becoming a vulnerability due to mismanagement.
An endpoint device that is seemingly low in risk can actually belong to the high-risk category if it has access to a shared network that could be used as an entry point for a hacker performing a cyberattack.
The below risk factors will serve as a baseline for evaluating the risk level of your endpoints. These risk factors can be more or less risky than outlined below depending on how they interact with other risk factors.
A publicly accessible endpoint has lower physical security and is thus potentially a high-risk device, however, if it has no access to sensitive data (ex. a public-facing digital map kiosk that is unable to connect to higher-risk systems) it could be considered low-risk.
|Lower Risk||Moderate Risk||High Risk|
|Device Accessibility||Trusted, Monitored & Managed Employees||Trusted, Monitored & Managed Guests||General Public|
|Hardware & Software||Whitelisted/authorized devices||Wireless internet (Wi-Fi)|
Internet-of-Things (IoT) devices
|Unpatched and legacy systems2|
Unmanaged USB devices and ports
|Data Sensitivity||Publicly available data or data that is intended to be openly available without restriction||Unpublished, unclassified, and otherwise non-sensitive internal documents such as meeting minutes||Devices that are connected to a network with access to data that is expected to be compliant with data security requirements such as HIPAA, GDPR, FERPA, FISMA, ITAR, PCI-DSS, etc|
|Level of Importance||Devices that are connected to systems that provide non-critical services, such as a digital map kiosk for patrons in a mall||Devices that are connected to systems that provide an important service, such as employee workstations that are used to perform day-to-day duties||Devices that are connected to systems that provide a critical service such as IoT-connected power systems|
Devices that are connected to systems that would
|Difficulty of Recovery||The connected system is easily recovered with minimal to no disruption to operations||The connected system is able to be recovered with moderate disruption to operations||The endpoint is connected to systems that are difficult to recover or recovery will cause a major disruption to operations|
1 Shadow IT: Unapproved software/hardware that is not managed by the corporate IT security team.
2 Legacy systems: Systems that rely on outdated hardware and software that is no longer receiving critical security updates from their manufacturer(s) or the organization.
3) Supporting Elements for Security Policies
Supporting elements of security policies such as defining the acceptable use of devices are critical for further enforcing endpoint monitoring and restriction practices as they provide the baseline for what will be considered suspicious activity in the context of your organization. With a well-established set of expectations, you can properly address behaviors that put the integrity of data security at risk.
Well-defined and communicated written policies and guidelines provide a necessary structure for communicating your expectations of how endpoint device management and information governance is to be carried out by employees and other users in your company. While templates can serve as a structure for understanding the core principles, you cannot afford to forgo mindfully considering the elements that are important for your company’s data security needs.
What to Include in an Endpoint Security Policy
- What is the goal of your endpoint security policy?
- Maintaining internal or regulatory data security compliance
- Protecting intellectual property (IP) such as trade secrets
- Increasing your company’s competitive advantage by demonstrating proactive cybersecurity to potential business partners and customers
- To mitigate the potential for damage to operations caused by cybersecurity threats
- To protect the safety and security of data in your role as a data processor
- What security measures are you taking to ensure data security?
- Enforced multi-factor authentication (MFA)
- Security software for endpoint device control, antivirus, and content filtering
- Security personnel responsible for policy enforcement and data security management
- Restricting and carefully managing the number of users with administrative access or elevated permissions
- Patch management procedures
- Network segmentation
- Automated “health checks” of devices to verify they meet the minimum cybersecurity standards to access your network
- Cybersecurity training for users that use technology in the workplace
- The development of policies intended to address data security priorities and practices
- What are the security responsibilities of your users and personnel?
- Who is primarily responsible for ensuring information security and compliance in your organization?
- What is considered “mishandling” of data?
- What are the approved procedures for accessing, storing, and transmitting data? Do these measures change based on the data classification?
- Are USB devices and files required to be encrypted?
- Where is data permitted to be stored, transmitted, and accessed?
- Who is allowed to access confidential or sensitive data?
- Who is responsible for maintaining critical security updates (patches)?
- What are the minimum security standards for devices that require connection to your network?
- What applications/devices/peripherals are allowed to be used and what is not permitted?
- Can employees use their own peripherals (USB devices, keyboards, etc), or will that pose an undue security risk?
- Are employees permitted to use their own devices to perform work tasks? If so, what security measures are they expected to take?
- If guests bring USB devices for a presentation or for sharing files, how will your security team manage that? Will they be required to check in with your IT department or will department managers be permitted to manage guest device permissions?
- Who is permitted to install software onto endpoints?
- What operating systems (OSs) are permitted? How will you manage the risks of legacy OSs?
- Other considerations
- Who can employees contact with security concerns and questions?
- How often will your policies be reviewed and updated? Who is responsible for ensuring this is done?
4) Plan For How You Will Use Activity Monitoring Data
Auditing the data and alerts provided by endpoint monitoring software is an integral component of maintaining endpoint security as it provides you and your security team with valuable insights into the activities carried out on endpoints within your network.
The insights from these reports can be used to identify non-compliant users using endpoint devices in an insecure manner, collect evidence of illicit file transfer attempts, and monitor the peripheral devices used within your company.
AccessPatrol’s Endpoint Monitoring Reports & Alerts
- Devices Accessed (All): Receive email alerts or scheduled summary reports when your users (employees, patrons, etc) connect any peripheral devices on your endpoints. These reports are best used for maintaining a log of all endpoint activity for use in the event of an investigation.
- Devices Accessed (Allowed): An overview of the endpoint activity history of allowed peripheral devices. Best used to study the usage patterns of approved peripherals within your company to confirm they are being used as expected.
- Devices Accessed (Blocked): These reports are best used to alert security personnel to attempts to use prohibited devices on company endpoints. The devices will be blocked from use and the user/device that was used inappropriately will be logged for further investigation.
- File Operations: These USB activity reports provide an overview of files that are created, renamed, transferred, or deleted from external storage devices. These reports are critical for monitoring the flow of data to and from USB storage devices as well as identifying the user responsible for initiating the transfer.
Information security policies are critical administrative safeguards for protecting sensitive data. By taking a proactive approach to data security your company will be better positioned to use data safely, make advantageous partnerships, and protect the integrity of your operations.
Removable media policies, for example, are key for mitigating the threats of portable storage devices such as mobile phones, USB flash drives, and portable hard drives. By combining these policies with USB control software you can take advantage of the convenience of portable storage while mitigating the associated risks.