Guidance

10 Steps: Removable Media Controls

Updated 16 January 2015

This guidance was withdrawn on

This content has been moved to the CESG website: https://www.cesg.gov.uk/10-steps-cyber-security

1. Summary

Failure to control or manage the use of removable media can lead to material financial loss, the theft of information, the introduction of malware and the erosion of business reputation. It is good practice to carry out a risk benefit analysis of the use of removable media and apply appropriate and proportionate security controls, in the context of their business and risk appetite.

2. What is the risk?

The use of removable media to store or transfer significant amounts of personal and commercially sensitive information is an everyday business process. However, if organisations fail to control and manage the import and export of information from their Information and Communications Technologies (ICT) using removable media they could be exposed to the following risks:

Loss of information

The physical design of removable media can result in it being misplaced or stolen, potentially compromising the confidentiality and availability of the information stored on it

Introduction of malware

The uncontrolled use of removable media will increase the risk from malware if the media can be used on multiple ICT systems

Information leakage

Some media types retain information after user deletion; this could lead to an unauthorised transfer of information between systems

Reputational damage

A loss of sensitive data often attracts media attention which could erode customer confidence in the business

Financial loss

If sensitive information is lost or compromised the organisation could be subjected to financial penalties

3. How can the risk be managed?

Removable media should only be used to store or transfer information as a last resort, under normal circumstances information should be stored on corporate systems and exchanged using appropriately protected and approved information exchange connections.

3.1 Produce corporate policies

Develop and implement policies, processes and solutions to control the use of removable media for the import and export of information.

3.2 Limit the use of removable media

Where the use of removable media is unavoidable the business should limit the media types that can be used together with the users, systems and types of information that can be stored or transferred on removable media.

3.3 Scan all media for malware

Protect all host systems (clients and servers) with an anti-virus solution that will actively scan for malware when any type of removable media is introduced. The removable media policy should also ensure that any media brought into the organisation is scanned for malicious content by a standalone media scanner before any data transfer takes place.

3.4 Audit media holdings regularly

All removable media should be formally issued by the organisation to individuals who will be accountable for its secure use and return for destruction or reuse. Records of holdings and use should be made available for audit purposes.

3.5 Encrypt the information held on the media

Where removable media has to be used, the information should be encrypted. The type of encryption should be proportionate to the value of the information and the risks posed to it.

3.6 Lock down access to media drives

The secure baseline build should deny access to media drives (including USB drives) by default and only allow access to approved authorised devices.

3.7 Monitor systems

The monitoring strategy should include the capability to detect and react to the unauthorised use of removable media within an acceptable time frame.

3.8 Actively manage the reuse and disposal of removable media

Where removable media is to be reused or destroyed then appropriate steps should be taken to ensure that previously stored information will not be accessible. The processes will be dependent on the value of the information and the risks posed to it and could range from an approved overwriting process to the physical destruction of the media by an approved third party.

3.9 Educate users and maintain their awareness

Ensure that all users are aware of the risks posed to the organisation from the use of removable media and their personal security responsibility for following the corporate removable media security policy.