10 Steps: Removable Media Controls
Updated 16 January 2015
© Crown copyright 2015
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/10-steps-to-cyber-security-advice-sheets/10-steps-removable-media-controls--11
1. Summary
Failure to control or manage the use of removable media can lead to material financial loss, the theft of information, the introduction of malware and the erosion of business reputation. It is good practice to carry out a risk benefit analysis of the use of removable media and apply appropriate and proportionate security controls, in the context of their business and risk appetite.
2. What is the risk?
The use of removable media to store or transfer significant amounts of personal and commercially sensitive information is an everyday business process. However, if organisations fail to control and manage the import and export of information from their Information and Communications Technologies (ICT) using removable media they could be exposed to the following risks:
Loss of information
The physical design of removable media can result in it being misplaced or stolen, potentially compromising the confidentiality and availability of the information stored on it
Introduction of malware
The uncontrolled use of removable media will increase the risk from malware if the media can be used on multiple ICT systems
Information leakage
Some media types retain information after user deletion; this could lead to an unauthorised transfer of information between systems
Reputational damage
A loss of sensitive data often attracts media attention which could erode customer confidence in the business
Financial loss
If sensitive information is lost or compromised the organisation could be subjected to financial penalties
3. How can the risk be managed?
Removable media should only be used to store or transfer information as a last resort, under normal circumstances information should be stored on corporate systems and exchanged using appropriately protected and approved information exchange connections.
3.1 Produce corporate policies
Develop and implement policies, processes and solutions to control the use of removable media for the import and export of information.
3.2 Limit the use of removable media
Where the use of removable media is unavoidable the business should limit the media types that can be used together with the users, systems and types of information that can be stored or transferred on removable media.
3.3 Scan all media for malware
Protect all host systems (clients and servers) with an anti-virus solution that will actively scan for malware when any type of removable media is introduced. The removable media policy should also ensure that any media brought into the organisation is scanned for malicious content by a standalone media scanner before any data transfer takes place.
3.4 Audit media holdings regularly
All removable media should be formally issued by the organisation to individuals who will be accountable for its secure use and return for destruction or reuse. Records of holdings and use should be made available for audit purposes.
3.5 Encrypt the information held on the media
Where removable media has to be used, the information should be encrypted. The type of encryption should be proportionate to the value of the information and the risks posed to it.
3.6 Lock down access to media drives
The secure baseline build should deny access to media drives (including USB drives) by default and only allow access to approved authorised devices.
3.7 Monitor systems
The monitoring strategy should include the capability to detect and react to the unauthorised use of removable media within an acceptable time frame.
3.8 Actively manage the reuse and disposal of removable media
Where removable media is to be reused or destroyed then appropriate steps should be taken to ensure that previously stored information will not be accessible. The processes will be dependent on the value of the information and the risks posed to it and could range from an approved overwriting process to the physical destruction of the media by an approved third party.
3.9 Educate users and maintain their awareness
Ensure that all users are aware of the risks posed to the organisation from the use of removable media and their personal security responsibility for following the corporate removable media security policy.