Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

14) If the use of removable media is not prohibited and enforced technically, is its use subject to other compensatory controls?

August 30, 2022
Security Governance
Policies
Removable Media
Compensatory Controls
Small Framework

Answer yes if your organisation subjects the use of removable media to technical controls (these can include DLP solutions, encrypted USB drives, training and awareness etc.). If yes, please describe the nature of these controls within the notes.

What is it?

Where the use of removable media is required, additional controls can be applied to limit how and when they are used, or what types of data they are used for.

The compensating controls you wish to apply will depend on your business environment and individual use-cases for removable media. Controls might include:

  • acceptable use policies, defining the specific circumstances in which use of removable media is accepted and the processes to follow when doing so, including limiting usage to only that which is strictly necessary,
  • locked storage requirements,
  • assigning a nominated owner for each media device,
  • assigning unique identifiers for each media device to ensure traceability,
  • data encryption and/or device encryption,
  • Data Loss Prevention (DLP) solutions on endpoints to control the types of information transferred,
  • training for employees on risks of using removable media devices,
  • CCTV surveillance.

These measures all help ensure data is not accidentally or maliciously put on removable media and exfiltrated from the organisation when technical controls to prevent all use of removable media are not available or sufficient.

Why should I have it?

If you are not able to prevent the use of removable media entirely, compensating controls help reduce the risk of data loss through such media for yourself and clients that entrust you as a supplier of services.

How to implement the control

Which controls are useful and appropriate will depend on your specific business context and, in some cases, local employment and privacy laws. We strongly recommend you prevent the use of removable media where possible to minimise the need for compensating controls.

You should ensure any controls are documented and agreed to by all necessary parties.

There are numerous consultancies or individual consultants that will be able to assist in crafting a policy and control set that meets your business and technical requirements.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.