Introduction

Removable media takes many forms today (jump drives, flash memory storage, portable storage devices, etc.). Removable media is personal, removable, and portable which introduces risk into the organization whenever it is used to store sensitive information. Aside from the chance for loss and theft, removable media format storage is a well-known source of malware infections and has been directly tied to the loss of information.

Purpose

This policy is established to minimize the risk of loss or exposure of sensitive data as well as reducing exposure to external sources of malware and virus exploits.

Scope

This policy applies to all staff.

Policy

  • Removable media storage of any kind of are disallowed in any form or function within our server environment.
  • Removable media shall not be used (e.g. attached to work computers for storage of any customer information).
  • Exceptions to this policy shall be considered only in unique and rare cases. These requests shall require written approval of the CISO (Chief Information Security Officer) and be granted only for justifiable business purposes.

Exception Policy

  • Removable media shall be scanned for malware/viruses prior to use.
  • A support ticket shall be logged specifying the length of time that the required media can be used. If additional time is required, written approval must be obtained from the CISO.
  • Prior to closing the exception ticket, data from the removable media must be deep deleted (using commercially recognized means).
  • Removable media (used for the exception) may never be connected to, or used, in personal or home computers.
  • When in transit, sensitive data stored on removable media must not be left unattended and must remain in an authorized employee’s physical control at all times.

Enforcement

Staff members found in policy violation may be subject to disciplinary action, up to and including termination.

Version 1.0.1 - last updated December 4, 2019