Answer yes if your organisation blocks the use of removable media on your network and if this is enforced through the use of a technical control.
What is it?
Removable media may include floppy disks, tapes, CDs, DVDs, USB keys, memory cards, removable drives, digital cameras, any device with storage memory that can be connected to a computer, even SIM cards.
Any of these devices could potentially be used to exfiltrate sensitive data from your organisation. As such, a Removable Media policy should dictate that the use of removable media is restricted wherever and whenever not explicitly required.
Why should I have it?
Having a removable media policy protects your organisation from losing data through these media and, as a supplier, reassures your clients that their data is protected in the same way.
A Removable Media policy should also include, or refer to, how removable media should be handled, physically protected, and eventually disposed of.
Reducing the exposure caused by removable media firstly involves making sure business and IT processes can operate without them wherever possible. Technical controls can then be implemented preventing data to be copied or moved onto removable devices for systems where it isn’t required.
Where it is required, more granular technical controls can be implemented to limit the scope to what can be moved to removable media based on the business function. For example, a control could be configured to only video files if that is the business purpose.
Other features also exist, such as automatically encrypting any data moved onto the removable media.
There are numerous consultancies or individual consultants that will be able to assist in crafting a policy that meets your business and technical requirements.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.