How to Write & Enforce a Removable Media Policy [Free Template]

Free removable media policy template from CurrentWare

Need a removable media policy for ISO 27001 or other information security frameworks? In this article you will be provided with a free removable media policy template and tips for writing your own information security policies.

removable media policy template mockup

Removable Media
Policy Template

  • Set data security standards for portable storage
  • Define the acceptable use of removable media
  • Inform your users about their security responsibilities

Get started today—Download the FREE template and customize it to fit the needs of your organization.

Table of Contents



What Are Removable Media Devices?

A 32 gigabyte USB flash drive sitting on top of a computer keyboard

“[Removable media is a] portable device that can be connected to an information system (IS), computer, or network to provide data storage. These devices interface with the IS through processing chips and may load driver software, presenting a greater security risk to the IS than non-device media, such as optical discs or flash memory cards. Portable Storage Devices also include memory cards that have additional functions aside from standard data storage and encrypted data storage, such as built-in Wi-Fi connectivity and global positioning system (GPS) reception.”

– National Institute of Standards and Technology (NIST)

Removable media devices—also known as portable storage devices—consist of a variety of compact devices that can connect to another device to transmit data from one system to another. 

The following are examples of removable media:

  • USB portable storage devices (“Jump Drive”, “Data Stick”, “Thumb Drive”, “Flash Drive”, etc)
  • SDHC, SDXC & SD cards
  • External hard drives and external solid-state drives
  • R/W Compact Disk or DVD media
  • Mobile devices such as tablets, smart devices, cameras, and portable media that support a data storage function such as player-type devices with internal flash or hard drive-based memory.
  • eSATA (External Serial Advanced Technology Attachment) devices
  • Floppy disks

What Is a Removable Media Policy?

Man signing an acceptable use policy

A removable media policy—also known as a USB device usage policy, portable storage device policy, or removable storage device policy— is a type of information security policy that dictates the acceptable use of portable storage devices such as USB flash drives, external hard drives, and tape drives. 

These policies serve as a critical administrative security control for managing the risks of portable storage devices. They establish the security responsibilities of users, explain the importance of USB security, and provide guidelines for protecting sensitive data when using portable storage devices.

Removable media policies for ISO 27001 & other frameworks commonly include:

  • Security requirements for removable media devices
  • The company’s stance on the use of personal storage devices and using company-provided storage devices for personal use
  • Administrative requirements for obtaining and returning authorized portable storage devices
  • Policies and procedures for managing third-party storage devices
  • Responsible use expectations for users
  • Data handling procedures for removable storage

Why You Need a Removable Media Policy

Managing the data security risks of removable media devices requires a combination of people, processes, and technology. A removable media policy serves as a critical administrative safeguard by informing users about their security responsibilities and the organization’s USB security processes.

ISO 27001 Compliance

ISO 27001 Compliance: What you need to know

ISO 27001 is a security framework provided by the International Organization for Standardization. As part of meeting ISO 27001 compliance organizations must implement an ISO 27001 removable media policy alongside critical security controls that mitigate the risk of USB device usage.

Cyber Security Threats Against Removable Media

Without proper guidance and training regarding the acceptable use of removable media devices, users may be tempted to plug rogue USB devices into their computers.

For example, in an experiment conducted by the University of Illinois and the University of Michigan, USB flash drives were scattered across a large university campus resulting in a staggering 45-98% of the USBs being inserted into machines.

For a less theoretical example, there’s also the incident in 2020 where hackers used snail-mail to send a company an envelope with a malware-laced USB thumb drive.

Insider Data Theft

Insider threats - how to protect your data. CurrentWare

A 2018 study from cybersecurity software company McAfee found that USB drives are the number one data exfiltration vector in European and Asia-Pacific countries.

When you think of it, this is of little surprise. Portable storage devices are, after all, portable. And thus easy to conceal and hard to detect.

These devices can store terabytes of data, making them capable of storing millions of database records, spreadsheets, and other proprietary information. So long as there’s an available port, data can be readily exfiltrated, leading to a serious data breach.

Employees and other insiders are the most prevalent data exfiltration threats here. They’re trusted with physical access to company systems, making data exfiltration attempts simple. All it takes is sneaking in a USB flash drive and transferring files from the network to the USB drives before they walk out of the office. 

While a removable media policy cannot prevent data loss all on its own, it sets a norm for portable storage security processes. With this norm in place deviations can be more readily discovered and remediated before they become a serious risk.

Risk of Malware Infection

Since portable storage devices are capable of storing and transmitting data, they are potential vectors for malware. The infamous Stuxnet computer worm, for example, was able to infect air-gapped computers in an Iranian uranium enrichment plant through infected USB flash drives.

Stuxnet has served as a unique case study for cybersecurity and national security researchers as it managed to cause tangible physical damage to the systems it infected. The worm infected over 200,000 computers and caused 1,000 machines to physically degrade.

Bad USB Attacks

In addition to the standard malware risks that could happen when you connect a portable storage device to a computer, there are several proof-of-concept malicious USB devices that have been created by cybersecurity researchers.

While not all of these devices are widely used in the wild, they demonstrate the destructive capabilities of seemingly innocuous USB devices.

The following are examples of malicious USB devices:

  • Rubber Ducky: A USB device that poses as a human interface device (HID) to inject a preloaded keystroke sequence. This sequence allows threat actors to initiate a malicious sequence at superhuman speeds.
  • USBKill: A USB device that is used to physically stress test USB hardware. When plugged in the USBKill takes power from the USB port, multiplies it, and discharges it into the data lines, which typically disables an unprotected device.
  • USB Thief: A sophisticated USB malware that steals data from infected systems. Each instance of the trojan relies on the USB device on which it is installed, leaving no evidence of compromise on the infected system. 

For more examples, check out this article.

The High Cost of Non-Compliance at a Glance

Information security policies are a critical security control for protecting sensitive data and meeting compliance requirements. This table provides an overview of common security frameworks and the costs associated with non-compliance.

Full NameDescriptionApplies ToGreatest Cost of Non-Compliance (USD)
International Traffic in Arms Regulations (ITAR)United States – Government regulation of defense-related exports and imports ITAR requires entities to implement measures to prevent the loss of ITAR-controlled dataAll manufacturers, exporters, and brokers of defense-related imports and exports for the USA – including technical dataCivil fines of up to $500,000 per violation, criminal fines up to $1,000,000, 10 years imprisonment per violation, as well as bans from providing future exports.
The Federal Information Security Modernization Act of 2014 (FISMA)United States – Cybersecurity framework for protecting sensitive information held by the federal government and related partiesExecutive agencies within the US federal governmentLoss of federal funding. A low FISMA grade indicates that you are at risk for a data breach
The Personal Data (Privacy) Ordinance (PDPO)Asia (Hong Kong) – Principle-based data protection law for the use, collection, and handling of personal data.Private and public sectors that process data in or from Hong KongA fine of up to ~$128,862 (HK$1,000,000) and imprisonment.
The General Data Protection Regulation (GDPR)Europe – Principle-based data protection law for the use, collection, and handling of personal data.Companies and other entities that process personal data of EU citizens, including website cookies and other marketing dataDiscretionary fines of the greater of ~$22,096,200 (€20 million) or 4% of annual global turnover
The Health Insurance Portability and Accountability Act (HIPAA)United States – National act for regulating the electronic transmission of health informationHealth plans, healthcare clearinghouses, and healthcare providers who electronically transmit any health information in connection with transactions for which HHS has adopted standardsFines of up to $1.5 million per violation category per year

What to Include in Your Removable Media Policy

removable media policy template mockup

Definitions

Removable media policies (USB device usage policies) will reference several terms that may not be immediately known to the user. A glossary that includes the data classifications used by your company and a clear descriptor of what constitutes removable media will help ensure that the policy is easily understood.

Security Requirements for Removable Media Devices

The key benefit of these policies is how they communicate your organization’s information security procedures. 

In your policy you should cover:

  • The organization’s stance on the use of personal storage devices and using company-provided storage devices for personal use
  • What classes of devices are permitted
  • The available alternatives to removable media
  • End-user security responsibilities such as the minimum physical safeguards, who is permitted to use assigned devices, etc
  • Any complimentary security measures, such as the use of a sandbox environment for testing third-party USB devices before they can be used on networked computers

Administrative Requirements for Obtaining and Returning Authorized Portable Storage Devices

In security-conscious environments all users are required to sign out pre-approved portable storage devices. They will forbid the use of unauthorized USB devices and expect their users to be the sole user of their assigned portable storage device.

If your organization will be using these administrative security controls on-site, you should describe the signout process that your users will follow to be assigned authorized storage devices.

Data Handling Procedures for Removable Storage

In addition to physical and administrative security controls, your removable media policy must address the classifications of data that are permitted on portable storage devices. 

These detailed data handling procedures will help to ensure that sensitive information does not find its way onto an easily lost and unencrypted USB flash drive. The procedures will include requirements related to clearing, disposal, encryption, authentication, and data redundancy. 

For example, storage devices that once held confidential data should be limited to storing confidential information and should not be re-released as a standard storage device. The reason for this is that file recovery methods could retrieve the sensitive information that was previously stored on the device.

How to Enforce & Implement Your Removable Media Policy

As with any company policy, the effectiveness of your removable media policy is limited to how well it is enforced and communicated. This section will outline the core methods used to improve buy-in and adherence to company policies. For more information, you can read 5 Ways to Enforce Company Policies.

1) Ensure Your Policies Are Understandable

Stressed and confused man using a laptop

While information security policies are covering a technically complex subject, they need to be written in a way that your target audience will understand. Where possible ensure that any technical terms are accompanied by a glossary entry. 

  • Keep sentences and paragraphs short
  • Use lists frequently to break information down into easily digestible chunks
  • Use headers to separate key sections

2) Communicate Your Policy & Make it Accessible

Man giving a presentation

No truly important policies are simply signed and forgotten about. They need to be openly communicated to your workforce and made easily accessible so they can be referenced on an as-needed basis. 

Ensure that your removable media policy is provided to new hires and ensure your current employees and other users are aware of what they’ve agreed to when they first signed the policy. Policy communication can be further enhanced with occasional refresher presentations and reviews of the policy between management and their teams.

Policy management software and similar information management tools are valuable resources for providing users with easy access to policies, particularly as revisions are released.

3) Have a Plan for Correcting Usage Issues

A businessman hands a piece of paper and a pen to their employee to sign

Having the policy in place sets an important precedent, but without a plan for corrective action there is little consequence for non-compliance. Violating removable media policies presents a significant information security risk that simply cannot be left unaddressed.

Depending on the severity of the offense, corrective actions can include the suspension of their access to technology resources, legal action, and/or dismissal. When implementing your policy ensure that everyone is aware of who will be responsible for enforcement and the actions they must take to correct non-compliance issues.

Tips for Policy Enforcement

  • Assign a designated member of staff that is responsible for policy enforcement. When they are alerted to suspicious endpoint activity they must investigate it in a timely manner.
  • Ensure that all supervisors, managers, and other influencers in your company are leading by example. Your employees cannot be expected to take data security seriously if those above them are not held to the same standard.
  • Pre-determine the enforcement procedures that you will perform based on the severity of the actions taken and any other factors that are relevant to your company. Depending on the severity of the non-compliance this could take the form of re-educating users on their expectations and responsibilities or a critical warning that sets a precedent for dismissal.

4) Removable Media Control Software

While the policy tackles the information security risks of portable storage from the administrative and procedural perspective, it cannot physically stop your end-users from using unauthorized USB devices.

To truly protect your organization against USB data security risks, you need removable media control software

With these security tools you can block USB storage devices while allowing trusted devices to be used. These tools further protect sensitive data by monitoring and restricting file transfers to trusted devices. To reduce the administrative overhead these tools can alert designated employees to USB security threats rather than requiring manual review.

5) Collect Employee Feedback

A group of employees reviewing reports

While the security of your data is paramount, that does not mean you should forgo consulting your employees – after all, they are the ones that are the most intimately familiar with what is needed for them to work effectively. 

Collecting end-user feedback on your endpoint security and management framework provides you with the perfect opportunity to identify elements of your policy that may cause an unexpected productivity bottleneck. While not every piece of feedback can be acted on, you are likely to find opportunities where your proposed policy can be reasonably adjusted to better fit the workflow of your constituents.

6) Educate Your Users

A female teacher points to a chalkboard

In addition to communicating the policy itself, you should provide employees with removable media security awareness training. These training modules will help reinforce the importance of the policy and empower employees with the knowledge they need to use USB storage devices securely.

A policy that is written but not adequately communicated is not likely to effectively fulfill its purpose. Policy education is essential for anyone who is expected to use technology in your workplace as it ensures that your baseline of expectations is fully understood and that a precedent for enforcement is established.

  • Use multiple communication channels to disseminate your policy (email, bulletin boards, direct coaching, team meetings, etc).
  • Ensure that your policy is readily accessible for anyone that needs to refer to it. The policy can be provided on your company’s intranet or within an employee manual.
  • Regularly review your policy with your users to mitigate against non-compliance caused by forgetting the policy’s mandates.
  • Periodically test the policy awareness and knowledge of your employees to ensure they understand their endpoint security responsibilities.

7) Review Your Policy Regularly

A man wearing a black and white striped shirts looks at a wall of printed reports

The frequency with which you review your policy will depend on your security needs and the regulatory compliance frameworks you are subject to. For example, entities covered under HIPAA are expected to “review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.” 

When to Review Your Policy

  • At a predetermined frequency (at least 1-2x annually)
  • After amendments to expectations are made by external regulatory bodies
  • When unique threats to data security are identified
  • Following a data breach within your company
  • After the introduction of a new law that may affect your company (GDPR, CCPA, etc)
  • When new technology is introduced to your company

How to Review Your Policy

  • Determine the members that will take on the role of Information Security Officer or a similar position. Your designated security personnel will be responsible for ensuring that policies are reviewed appropriately, along with the other key responsibilities as outlined by your organization’s unique regulatory standards.
  • Perform a risk analysis to identify areas of your policy that may no longer be relevant or that otherwise need updating to best reflect your current security needs.
  • Collect and review policy feedback from key stakeholders to better identify areas of the policy that need to be amended to improve clarity, relevance, or effectiveness.

Removable Media Policy Template

Free removable media policy template from CurrentWare

DISCLAIMER: This removable media policy template (USB security policy or information security policy template) is provided by CurrentWare Inc. for reference purposes only. 

To ensure that this policy is sufficient for your security and compliance needs it is recommended that you customize it to fit your organization’s environment and have it reviewed by key stakeholders such as executives from finance, physical security, legal, and human resources departments.

Overview

Data loss prevention and data security are everyone’s responsibility. The very same portable nature that makes removable media devices a valued asset also introduces unique risks that must be mitigated against.

Aside from the risk of loss and theft, removable media devices are a potential source of malicious software. To help protect the sensitive data in our custody against these risks we have developed and implemented this removable media policy.

Non-compliance with this policy may result in damages to the organization, its customers, and other stakeholders. These damages may include financial loss, a reduced ability to provide essential services, damages to the organization’s reputation, and identity theft.

Purpose of This Policy

This removable media policy is designed to protect the confidentiality, integrity, and availability of data when removable storage devices are used to transmit data to and from <<ORGANIZATION NAME>>’s systems.

This policy will operate alongside preexisting information security policies and acceptable use policies to provide guidelines and requirements regarding the security standards for the use, storage, and transportation of removable media devices and the data that is stored on them.

The risks that this policy aims to mitigate include, but are not limited to:

  • The unauthorized disclosure or misuse of INTERNAL, CONFIDENTIAL, or RESTRICTED information (sensitive information)
  • The introduction of malicious software (malware) to <<ORGANIZATION NAME>> networks or equipment
  • Reputational risks and legal liabilities that arise as a result of data loss or the misuse of data

Scope

This removable media policy applies to all employees, contractors, and any other third party conducting business with <<ORGANIZATION NAME>> (“Users”). This further includes all individuals and entities who use <<ORGANIZATION NAME>> IT facilities and equipment, or have access to, or custody of, sensitive information.

Definitions

Sensitive Information

All data within the custody of <<ORGANIZATION NAME>> is classified as either PUBLIC, INTERNAL, CONFIDENTIAL, or RESTRICTED. Any data that is classified as CONFIDENTIAL or RESTRICTED is considered to be sensitive information. 

  • Public Data: Information that is openly shared and available, such as what is provided on our website. This data does not require any additional security controls.
  • Internal Data: Organization-wide information that is solely intended for use by employees, contractors, and other representatives of <<ORGANIZATION NAME>>, such as employee handbooks, policies, and internal memos. As the impact of disclosure is minimal this data only needs to be protected with limited controls.
  • Confidential Data: Sensitive organization information that must be limited to internal use only such as pricing structure, marketing materials, or non-public contact information. As the unintended disclosure of this information could negatively affect the organization, it must be protected with greater controls.
  • Restricted Data: Information that is highly sensitive and limited to an as-needed basis, such as personally identifiable information (PII), trade secrets, and financial data. As the disclosure of this information would result in significant financial or legal impact to the organization it must be protected with significant security controls.

Removable Media Device

A removable media device—also known as a portable storage device or removable storage device—is defined as any device or media that is readable and/or writable by an end-user while being able to be moved between computers without modifications to the computer. 

Removable media devices are portable devices that can be used to copy, save, store, and/or move data from one system to another.

Examples of removable media include:

  • USB portable storage devices (“Jump Drive”, “Data Stick”, “Thumb Drive”, “Flash Drive”, etc)
  • SDHC, SDXC & SD cards
  • External hard drives and external solid-state drives
  • R/W Compact Disk or DVD media
  • Portable devices such as tablets, smart devices, and cameras
  • eSATA (External Serial Advanced Technology Attachment) devices
  • Floppy disks

Sheep Dip/Sandbox/Footbath

In a cybersecurity context, a Sheep Dip—also known as a Footbath—is a dedicated computer or sandbox environment that is used to test a removable media device for malware. A sheep-dip computer acts as the first line of defense against malware from USB drives and other portable storage mediums.

A computer that is used for sheep dipping will not be connected to the internet or the local area network; this helps prevent attackers from infiltrating the network through the sheep-dip computer and prevents the spread of computer worms. 

The sheep-dip computer will be provided with an up-to-date antimalware system (virus scanner) for the purpose of scanning removable media devices for malicious software before allowing them onto a networked computer.

The term “Sheep Dip” refers to a method used by farmers to prevent the spread of parasites in a flock of sheep. During a sheep dip, farmers will dip all of their sheep one after another in a trough of pesticide to prevent infestations to the rest of their flock. 

Similarly, the practice of sheep dipping removable media devices acts as an essential layer of security by preventing potentially infected storage devices from connecting to networked computers without prior inspection.

Data Loss/Data Leak

Data loss is any incident that results in data being corrupted, deleted, and/or made unreadable. A data loss event typically occurs due to intentional or accidental deletion, a malicious attack that results in data corruption, or physical damage to data storage hardware. 

Similarly, a data leak is the unauthorized exposure of sensitive information through accidental or malicious actions. The incident could occur due to server misconfigurations, lost/stolen removable media devices, or an attack from a threat actor. 

Guiding Principles

  1. Removable media devices will only be approved for use if there is a valid business use case that outweighs the associated risks and all other options to transfer data have been exhausted.
  2. Only removable media devices that meet <<ORGANIZATION NAME>>’s security standards will be permitted on networked computers. 
  3. Data loss prevention is not the sole responsibility of any individual or department; it requires the cooperation and due diligence of everyone involved. All users of removable media containing sensitive information have a duty of care to protect the devices against unauthorized access, misuse, or corruption.
  4. The secure use of removable media devices is just one aspect of a comprehensive information security program that must be adopted to effectively safeguard sensitive information.

Security Responsibilities & Practices for Removable Media Devices

Security Requirements for Removable Media Devices

Permitted Devices

<<ORGANIZATION NAME>> will ensure that all users with a requirement for removable media devices are provided with a pre-authorized device and all related assets that they will need to securely store, transport, and access data.

Only devices that have been pre-authorized by <<ORGANIZATION NAME>> will be permitted for use. Special exemptions may be made at the discretion of information security personnel for trusted third parties when no other data transmission options are available (see “Managing the Security Risks of Third-Party Removable Media Devices”).

  • Personally owned devices are prohibited from use on all networks and computers. 
  • Organization-provided devices are not permitted to be used on personally owned devices.
  • Under no circumstances should unidentifiable removable media devices be used. If an unidentifiable device is found it can be brought to information security personnel for safekeeping or secure inspection at their discretion.

The Sheep Dipping Process

All removable media devices must be connected to a sheep-dip computer for inspection prior to being allowed on networked computers.

To inspect the removable media device you must:

  1. Log in to the sheep-dip computer
  2. Insert the device(s) that will be inspected
  3. <<VIRUS SCANNING PROCESS>>

In the event that a potential threat is discovered during the sheep-dipping process, the device may not be connected to any other computer. The device must be removed from the sheep-dip computer and information security personnel must be alerted immediately. 

Managing the Security Risks of Third-Party Removable Media Devices

In the event that a critical data transfer is required from a third-party removable media device that has not been pre-authorized, that device must be connected to a sheep-dip computer for inspection prior to being allowed on networked computers.

Removable media devices will only be allowed from third parties when…

  • There is a clear business requirement to load the data from the device to an organization-owned computer
  • No suitable alternatives are available (the use of the removable media device must be a last resort)
  • The sheep-dipping process does not indicate the presence of a security threat (See “The Sheep Dipping Process”)

If the above criteria are met, you must contact information security personnel to have the third-party device added to the Allowed Devices List or for a temporary access code to be generated for your computer. 

Responsible Use Expectations for Users

Duty of Care & Incident Reporting

All members and associates of <<ORGANIZATION NAME>> have a duty of care to protect the sensitive information in our custody. 

This duty of care mandates that:

  • All members and associates of <<ORGANIZATION NAME>> are expected to be in compliance with this policy and all other information security policies.
  • All suspected or definitive security incidents, misuse, or irresponsible actions are to be immediately reported to <<POINT OF CONTACT>>.
  • All members and associates of <<ORGANIZATION NAME>> understand and abide by their cybersecurity awareness training.
  • All members and associates of <<ORGANIZATION NAME>> understand their responsibilities associated with the secure use of technology when it comes to protecting sensitive information while performing their duties.

Unauthorized Software & Executables

While removable media devices allow for the convenient transmission of executable software, all software that is used on <<ORGANIZATION NAME>> computers must be exclusively purchased, installed, and managed by information security personnel. 

There is a zero-tolerance policy for the use of unauthorized software (“Shadow IT”) on organization-owned equipment and systems. 

Physical Security Controls

Each removable media device is assigned to a designated individual. The individual is responsible for the physical protection of the removable media device and must ensure that steps are taken to protect the sensitive data on the device from loss, theft, or damage. 

Under normal operating conditions, all removable media devices must be signed in and out each workday on an as-needed basis. In the event that the extended possession of a removable media device is granted, the user is responsible for meeting its ongoing security requirements.

These steps include, but are not limited to:

  • Under no circumstances can the individual share the device with others; it must remain in their sole custody until it is returned to information security personnel.
  • When not in use, any removable media device containing sensitive data must be stored securely, such as in a locked cabinet or safe. 
  • All removable media devices must be returned to a designated safe storage location at the end of each workday unless special authorization is provided in writing.
  • Do not leave removable media devices unattended. When a transfer of sensitive data is underway the device must remain in the authorized user’s physical control at all times. 

Data Handling Procedures for Removable Storage

Data Loss Prevention & Data Integrity
  • Data must only be copied to a removable media device by an authorized user in the performance of their official duties or when responding to legitimate requests for information.
  • Removable media devices are only to be used for the temporary storage and transmission of information. They must not be used as an alternative to other storage equipment for critical backups.
  • Unless special authorization is provided in writing, under no circumstance should removable media be connected to any computer that has access to RESTRICTED data.
  • CONFIDENTIAL or RESTRICTED information may not be stored on removable media without explicit permission.
  • To ensure the integrity of data, all amendments made to data on removable media devices must be reflected in <<ORGANIZATION NAME>>’s private network at the nearest available opportunity.
Encryption & Authentication Requirements
  • When sensitive information is stored on removable media, the device must be encrypted and password-protected to prevent unauthorized disclosure of the data. The password must be unique, difficult to guess, and not shared with any other parties.
  • The encrypted removable media device must carry the same public-private key combination that is associated with the authorized user.

Clearing & Disposal

  • All users must return their assigned removable media devices at the end of the workday unless special authorization is provided.
  • All organization property must be returned at the end of the employment period, including removable media devices.
  • Under no circumstances should any removable media device be given away or disposed of via any channel other than through information security personnel. Damaged or faulty devices must be brought to information security personnel for secure disposal or repair.
  • Users must note that files and data that have been deleted from removable media devices can still be retrieved. Any device that once stored sensitive information must be treated as if it still contains the sensitive information until it has been securely erased by information security personnel. If full data erasure is not feasible, the USB device must be limited to the use of the highest data classification for which it was previously used; the device cannot be considered for declassification.

Organizational Security Controls for Removable Media

In addition to the responsibilities that users have to protect sensitive data on removable media devices, <<ORGANIZATION NAME>> provides organizational security measures to reduce the risks associated with removable media devices.

Device Control Software & USB Removable Disk Auditing

All computers with access to sensitive data and/or connection to the organization’s network have USB control software installed on them. 

This software protects the organization’s systems against the risks of removable media devices by:

  • Preventing the loading of data from non-authorized portable storage devices
  • Restricting the types of data that can be transmitted to authorized portable storage devices
  • Logging all file operations to and from portable storage devices
  • Logging all removable media devices that are plugged into monitored computers

Monitoring and tracking the use of removable media devices is standard practice as part of <<ORGANIZATION NAME>>’s asset management and cybersecurity processes.

As a condition of using systems provided by <<ORGANIZATION NAME>>, you acknowledge that all computer activity may be monitored for security and productivity management purposes.

IT Inventory Management

All departments must maintain accurate and up-to-date records of the removable media devices issued within the organization. 

At a minimum, the records will contain:

  • A unique identifier of the device, such as a serial number 
  • The name of the user the device is assigned to
  • The date of assignment
  • The business purpose that the device is assigned for
  • The highest security classification of the information that is allowed to be stored on the device

NOTE: All removable media containing sensitive information must have an external label that indicates the highest data classification and the user responsible for its safekeeping.

Cybersecurity Awareness Training

<<ORGANIZATION NAME>> provides ongoing cybersecurity awareness training to promote awareness of information security policies, procedures, and best practices among its users. This training is intended to educate users on the responsibilities and risk factors associated with their role in the organization.

If at any time a user desires retraining, they can access the training materials by going to <<TRAINING MATERIALS LOCATION>>. 

Exceptions to This Policy

All users are expected to be in compliance with this removable media policy and all other information security policies provided by <<ORGANIZATION NAME>>. 

Exceptions to this policy shall only be considered in unique and rare circumstances.  These exceptions require the written approval of <<ROLE>> and will only be granted for justifiable business purposes.  

All approvals for exceptions are subject to review and expiry. The written approval will indicate the period of time for which the exception is valid. Once the approval period has passed it is the responsibility of <<ROLE>> to reevaluate the approval for an extension.

Enforcement of This Policy

Anyone found in violation of this policy may be subject to corrective actions up to and including the suspension of their access to technology resources, legal action, and/or dismissal.

USB Security Policy Examples

Each industry and organization will have its own unique set of data security requirements that will heavily inform their USB restriction policy. While the use of data security best practices will always be necessary to adequately protect data, the level of restrictions used as a safeguard will vary in intensity depending on the sensitivity of the data the organization handles and the associated level of risk.

Example 1 – John, Military Intelligence

Image: Endpoint Security Persona for John who works in Military Intelligence. The paragraph below is the same as what is on the image.

While John’s exact role is top secret, we do know that he works in the field of Military Intelligence. Because John’s information governance and cybersecurity responsibilities are a matter of national security, he takes every precaution available to him to eliminate the potential for unauthorized data transfers and to mitigate cybersecurity threats.

John’s USB Security Policy

  • All USB devices have been blocked from use on the endpoints he is in charge of protecting.
  • His policies are further enforced by physically banning USB devices from the premises – if John discovers a USB device he treats it as a highly suspicious threat.
  • Projects that require data transfers must be approved, monitored, and managed by the security team
  • Any attempts to bypass USB permissions will send alerts to his security personnel for immediate investigation.

Example 2 – Sam, HIPAA Security Officer

Image: Endpoint Security Persona for Sam who works in healthcare. The paragraph below is the same as what is on the image.

Sam is the HIPAA Security Officer for her company. She uses USB activity monitoring and restriction to protect the sensitive personal health information (PHI) of patients as a technical safeguard for maintaining HIPAA compliance for her company.

Sam’s USB Security Policy

  • Only company-provided encrypted USB devices are allowed to be used for transmitting data. Attempts to use personal USB devices are blocked by her endpoint security software and an email alert is sent to her security team for review.
  • USB devices must be signed in and out daily and only used internally. Her staff are never permitted to bring their USB devices outside of the building.
  • Reports on all file operations & devices connected to endpoints are reviewed by Sam on a daily basis. She uses endpoint activity monitoring to ensure that system activity can be traced to a specific user in the event that a data breach is discovered. 
  • Attempts to bypass software-enforced endpoint restrictions are blocked, logged, & reported to Sam’s security team for review

Example 3 – Karen, Retail Manager

Image: Endpoint Security Persona for Karen who works as a retail manager. The paragraph below is the same as what is on the image.

Karen is a manager for an independent retail company that sells through an eCommerce platform. Karen’s payment processing is handled by a third party that maintains their own data security compliance, however, she collects personally identifiable information of customers when arranging shipment of her products. She wants to use USB activity monitoring to alert her to incidents of her staff attempting to perform illicit data transfers.

Karen’s USB Security Policy

  • Unknown USB devices are blocked from transmitting data by default but are later allowed once scanned for viruses
  • Data transfers from unknown USB devices are blocked
  • The USB ports on her computers are configured to still allow for the charging of phones and other USB devices. 
  • Karen reviews her endpoint activity reports weekly to check for suspicious file operations  & strange endpoint activity

Example 4 – Chris, Design Agency CEO 

Image: Endpoint Security Persona for Chris who works in a design agency. The paragraph below is the same as what is on the image.

Chris started his design career as a freelancer. Over time his independent operation grew into a modest design agency with his own employees and contractors. To help make IT security easier to manage, he ensures that his creative staff members do not need or have access to any sensitive data for the work that they do. Chris primarily uses file operations monitoring reports to protect his company’s intellectual property (IP) by ensuring that only pre-approved renders for portfolios leave the office.

Chris’ USB Security Policy

  • All USB devices are allowed by default
  • Chris is immediately alerted with an email when attempts to transfer specific IP-related file extensions are detected
  • To protect company and customer financial data, if anyone in his Finance department tries to transfer files to a USB device they are blocked and Chris is alerted

4 Critical Considerations for an Information Security Policy

When developing your security policies, these are key considerations that will influence the measures that you implement, the users and/or devices that you restrict, and how you will best use monitoring data to inform your data security strategy. This section will use an endpoint security policy as an example.

1) Define the Assets That You Need to Protect

A hand motions to press a cell phone. A glowing lock icon floats above them

The policies you develop will be heavily influenced by the assets that you manage. Each device has a unique risk level and accompanying management needs. It is critical that you understand the unique needs of each of these devices as they will influence the level of monitoring and restrictions implemented.

USB Device Security

Users with access to sensitive data need to be closely monitored, particularly when their endpoints have integrated data transfer hardware such as USB ports, SD/MM card slots, CD drives, or Bluetooth.

Rogue USB devices including personal flash drives, mobile phones, and miscellaneous devices such as USB-powered fans are a potential attack vector. If your company has stringent data security requirements it is strongly advised that you restrict USB devices with software-enforced USB control policies.

Internet-Connected Hardware, Networking Devices, & Applications

Internet connectivity serves as a vital resource for managing distributed teams, sharing information, and connecting with customers. The internet also poses a remarkable cybersecurity vulnerability that needs to be managed appropriately. 

The internet provides malware with a gateway to systems through methods such as phishing emails and “drive-by” downloads where a malicious website installs malware on the user’s computer without their knowledge. These internet-based attacks are best mitigated through the use of content filtering tools that allow for the blocking of dangerous websites, prevent the opening of suspicious files, and disable unauthorized computer programs.

Internet-of-Things (IoT) Devices

IoT devices provide a unique level of risk thanks to a combination of their access to the network and a lack of robust security standards for IoT device manufacturers. A seemingly innocuous IoT sensor that helped a casino manage its aquarium became an entry point for a data breach that resulted in an information leak about the casino’s high-rollers.

IoT vulnerabilities are largely caused by surprisingly widespread practices such as hardcoded passwords, web interfaces without sufficient authentication measures such as multi-factor authentication (MFA), and an inability or lack of support to securely patch known security vulnerabilities.

Due to their unique risk, these devices need to be treated with an added layer of caution, particularly if the device or the manufacturer does not natively support adequate cybersecurity measures. Unless you can confidently confirm otherwise, it is best to assume IoT devices are high-risk and treat them appropriately, including placing them on an entirely separate network that does not have access to sensitive data (“air gapping” or network segmentation).

Mobile Device Management

Mobile devices are popular among professionals that want to continue working while traveling. Unfortunately, the portability of mobile devices comes at the cost of reduced physical security and added network vulnerabilities. If your employees are potentially working from outside a secured building in favor of a local coffee shop, airport, or co-working space, they will require greater monitoring and restriction to address the added risk. 

To mitigate the risks associated with mobile devices, you can make use of an enterprise-class Mobile Device Management (MDM) system. An MDM allows you to delete sensitive data remotely, track lost or stolen devices, and enforce MFA on mobile devices, among a suite of other important features for securing mobile endpoints.

Risk Factors for Mobile Devices:

  • Insecure Wi-Fi networks (Public Wi-Fi, fake Wi-Fi hotspots set by attackers)
  • Data security vulnerabilities caused by attacks that use Bluetooth
  • Reduced physical security: Increased opportunities for theft or loss
  • Visual eavesdropping when working in public spaces
  • Juice Jacking: Compromised public USB charging ports that install malware onto mobile devices

2) Determine the Level of Restrictions Required

Alternative for using Group Policy to block USB

While implementing the highest level of restriction possible will provide greater threat mitigation, a policy that is far more restrictive than necessary for the corresponding risk level will create unnecessary productivity and usability bottlenecks. The bottlenecks caused by an overzealous security policy will needlessly frustrate users, leading to a greater risk of non-compliance with your organization’s policies.

When determining the level of restrictions required for your security policies it is important to tailor the degree of restriction based on the associated risk level. Security risks care typically broken down into three key categories: Low Risk, Moderate Risk, and High Risk.

Risk Assessments

The risk category for a given endpoint is classified based on the severity of the impact should the device be compromised as well as the likelihood that such an event will occur. It is important to note that while moderate and high-risk assets should be prioritized, even low-risk endpoints must meet minimum security standards to prevent them from becoming a vulnerability due to mismanagement. 

An endpoint device that is seemingly low in risk can actually belong to the high-risk category if it has access to a shared network that could be used as an entry point for a hacker performing a cyberattack. 

Image: A Risk Matrix demonstrating how varying degrees of the likelihood of a data breach occurring and the impact it would have will change the level of risk involved. The more likely and higher the impact, the greater the risk.
The risk category for a given endpoint is classified based on the severity of the impact from a data breach as well as the likelihood that the device will be compromised. The higher the impact and the more likely, the greater the risk.

The below risk factors will serve as a baseline for evaluating the risk level of your endpoints. These risk factors can be more or less risky than outlined below depending on how they interact with other risk factors.

A publicly accessible endpoint has lower physical security and is thus potentially a high-risk device, however, if it has no access to sensitive data (ex. a public-facing digital map kiosk that is unable to connect to higher-risk systems) it could be considered low-risk.

Lower Risk Moderate Risk High Risk
Device Accessibility Trusted, Monitored & Managed EmployeesTrusted, Monitored & Managed Guests General Public
Hardware & Software Whitelisted/authorized devices Wireless internet (Wi-Fi)

Shadow IT1

Internet-of-Things (IoT) devices 

Unpatched and legacy systems2

Unmanaged USB devices and ports
Data Sensitivity Publicly available data or data that is intended to be openly available without restrictionUnpublished, unclassified, and otherwise non-sensitive internal documents such as meeting minutesDevices that are connected to a network with access to data that is expected to be compliant with data security requirements such as HIPAA, GDPR, FERPA, FISMA, ITAR, PCI-DSS, etc
Level of Importance Devices that are connected to systems that provide non-critical services, such as a digital map kiosk for patrons in a mallDevices that are connected to systems that provide an important service, such as employee workstations that are used to perform day-to-day dutiesDevices that are connected to systems that provide a critical service such as IoT-connected power systems

Devices that are connected to systems that would
Difficulty of Recovery The connected system is easily recovered with minimal to no disruption to operationsThe connected system is able to be recovered with moderate disruption to operations The endpoint is connected to systems that are difficult to recover or recovery will cause a major disruption to operations

1 Shadow IT: Unapproved software/hardware that is not managed by the corporate IT security team. 
2 Legacy systems: Systems that rely on outdated hardware and software that is no longer receiving critical security updates from their manufacturer(s) or the organization.

3) Supporting Elements for Security Policies

Supporting elements of security policies such as defining the acceptable use of devices are critical for further enforcing endpoint monitoring and restriction practices as they provide the baseline for what will be considered suspicious activity in the context of your organization. With a well-established set of expectations, you can properly address behaviors that put the integrity of data security at risk.

Well-defined and communicated written policies and guidelines provide a necessary structure for communicating your expectations of how endpoint device management and information governance is to be carried out by employees and other users in your company. While templates can serve as a structure for understanding the core principles, you cannot afford to forgo mindfully considering the elements that are important for your company’s data security needs.

What to Include in an Endpoint Security Policy

  1. What is the goal of your endpoint security policy?
    • Maintaining internal or regulatory data security compliance
    • Protecting intellectual property (IP) such as trade secrets
    • Increasing your company’s competitive advantage by demonstrating proactive cybersecurity to potential business partners and customers
    • To mitigate the potential for damage to operations caused by cybersecurity threats
    • To protect the safety and security of data in your role as a data processor
  2. What security measures are you taking to ensure data security?
    • Enforced multi-factor authentication (MFA)
    • Security software for endpoint device control, antivirus, and content filtering
    • Security personnel responsible for policy enforcement and data security management
    • Restricting and carefully managing the number of users with administrative access or elevated permissions
    • Patch management procedures
    • Network segmentation
    • Automated “health checks” of devices to verify they meet the minimum cybersecurity standards to access your network
    • Cybersecurity training for users that use technology in the workplace
    • The development of policies intended to address data security priorities and practices
  3. What are the security responsibilities of your users and personnel?
    • Who is primarily responsible for ensuring information security and compliance in your organization?
    • What is considered “mishandling” of data?
      • What are the approved procedures for accessing, storing, and transmitting data? Do these measures change based on the data classification?
      • Are USB devices and files required to be encrypted?
      • Where is data permitted to be stored, transmitted, and accessed?
      • Who is allowed to access confidential or sensitive data?
    • Who is responsible for maintaining critical security updates (patches)?
    • What are the minimum security standards for devices that require connection to your network?
  4. What applications/devices/peripherals are allowed to be used and what is not permitted?
    • Can employees use their own peripherals (USB devices, keyboards, etc), or will that pose an undue security risk?
    • Are employees permitted to use their own devices to perform work tasks? If so, what security measures are they expected to take?
    • If guests bring USB devices for a presentation or for sharing files, how will your security team manage that? Will they be required to check in with your IT department or will department managers be permitted to manage guest device permissions?
    • Who is permitted to install software onto endpoints?
    • What operating systems (OSs) are permitted? How will you manage the risks of legacy OSs?
  5. Other considerations
    • Who can employees contact with security concerns and questions?
    • How often will your policies be reviewed and updated? Who is responsible for ensuring this is done?

4) Plan For How You Will Use Activity Monitoring Data

Auditing the data and alerts provided by endpoint monitoring software is an integral component of maintaining endpoint security as it provides you and your security team with valuable insights into the activities carried out on endpoints within your network.

The insights from these reports can be used to identify non-compliant users using endpoint devices in an insecure manner, collect evidence of illicit file transfer attempts, and monitor the peripheral devices used within your company.

AccessPatrol’s Endpoint Monitoring Reports & Alerts

AccessPatrol USB Device Control Software Report - USB File Operations
  • Devices Accessed (All): Receive email alerts or scheduled summary reports when your users (employees, patrons, etc) connect any peripheral devices on your endpoints. These reports are best used for maintaining a log of all endpoint activity for use in the event of an investigation.
  • Devices Accessed (Allowed): An overview of the endpoint activity history of allowed peripheral devices. Best used to study the usage patterns of approved peripherals within your company to confirm they are being used as expected.
  • Devices Accessed (Blocked): These reports are best used to alert security personnel to attempts to use prohibited devices on company endpoints. The devices will be blocked from use and the user/device that was used inappropriately will be logged for further investigation.
  • File Operations: These USB activity reports provide an overview of files that are created, renamed, transferred, or deleted from external storage devices. These reports are critical for monitoring the flow of data to and from USB storage devices as well as identifying the user responsible for initiating the transfer.

Conclusion

Information security policies are critical administrative safeguards for protecting sensitive data. By taking a proactive approach to data security your company will be better positioned to use data safely, make advantageous partnerships, and protect the integrity of your operations.

Removable media policies, for example, are key for mitigating the threats of portable storage devices such as mobile phones, USB flash drives, and portable hard drives. By combining these policies with USB control software you can take advantage of the convenience of portable storage while mitigating the associated risks.

Dale Strickland
Dale Strickland
Dale Strickland is the Digital Marketing Manager for CurrentWare, a global provider of user activity monitoring, web filtering, and device control software. Dale’s diverse multimedia background allows him the opportunity to produce a variety of content for CurrentWare including blogs, infographics, videos, eBooks, and social media shareables.
Get Your Free Removable Media Policy Template

Get Your Free Removable Media Policy Template

Download this FREE removable media policy template to help protect the sensitive data in your custody.

👉 Set data security standards for portable storage

👉 Define the acceptable use of removable media

👉 Inform your users about their security responsibilities

Here's Your Free Template!

Pin It on Pinterest