Removable Media Controls Policy

In order to protect SLAM IT assets, the policy limits the ability for Users to introduce malware to the systems by prohibiting removable media and limits the ability of Users to remove SLAM Confidential information on removable media.

Removable Media Controls Policy

Purpose

To reduce the cybersecurity risk to the organization, SLAM is required to design, implement and maintain a coherent set of policies, standards and procedures (collectively the Security Program) to manage risks to its data and information systems. Users are required to protect and ensure the Confidentiality, Integrity, and Availability (CIA) of data and information systems, regardless of how data is created, distributed, or stored. Security controls will be tailored accordingly so that cost-effective controls can be applied commensurate with the risk and sensitivity of the data and information system.

In order to protect SLAM IT assets, the policy limits the ability for Users to introduce malware to the systems by prohibiting removable media and limits the ability of Users to remove SLAM Confidential information on removable media.

Definition

In the realm of IT security terminology, the National Institute of Standards and Technology (NIST) IR 7298, Revision 1, Glossary of Key Information Security Terms, is the primary reference document that SLAM uses to define common IT security terms. Key terminology to be aware of includes:

• Control: A term describing any management, operational, or technical method that is used to manage risk. Controls are designed to monitor and measure specific aspects of standards to help SLAM accomplish stated goals or objectives.
• CIA: Confidentiality, Integrity, and Availability of company information systems and the underlying electronic data.
• Users: SLAM staff, volunteers, and contractors who have access to SLAM information systems and who are in a computer-related position of trust.
• Systems: Information Technology systems (e.g., networks, operating systems, applications and databases)
• Privileged User Accounts: Those accounts granted special access rights for particular business needs pursuant to approved procedures.
• Malware: Malicious Software
• Removable Media: Digital media intended to be portable (plug-n-play devices) including diskettes, magnetic tapes, optical media (DVDs and CDs), external/removable hard drives, removable flash-based media (thumb drives, digital media players, digital cameras), digital video disks, smart phones, recorders, and cell phones.

Policy

To reduce the risk of loss or exposure of SLAM Confidential information, and to reduce the risk of introducing malware on organization systems, the following best practices apply:

• Removable media may be connected to or used in SLAM systems for business purposes only and must adhere to safeguards implemented by IT.
• Confidential information should be stored on removable media only when required in the performance of Users’ assigned duties or when providing information required by state or federal agencies.
• When Confidential information is stored on removable media, it must be encrypted. Departments needing encryption, must contact IT for assistance.
  • Confidential information includes.
    • Business operations and/or processes
    • Intellectual property
    • Revenue/expense sources
    • Customer or client information
    • Personal data including social security number, date of birth, address.
    • Employment information including contracts, pay rate, bonuses.
    • Administrative information: time sheets, pay stubs, tax forms
    • Job termination data
• Limit access to non-public information on removable media to authorized users.
• Media containing Confidential information will be returned to IT to be sanitized or destroyed before disposal or release for reuse.
• Where applicable and feasible, users will mark media with Confidential markings and distribution limitations.
• Where confidential information is transferred to media, that media shall be stored securely within a controlled area and access to that controlled area shall be physically restricted to authorized staff. Further, the mechanisms that enforce those access restrictions shall collect access information and shall include the ability to audit access attempts.
• SLAM will restrict the use of removable media on systems using technical controls.
• The use of portable storage devices will be prohibited when such devices have no identifiable owner. Never connect found media or devices to a PC. Give any unknown storage device to IT.
• Keep your personal and business data separate. Do not store SLAM data on personal devices.

Approval and Ownership

Revision History