USB Memory Device Policy - A Primer on Why and How to Start One
By Dave Guerra
Recent actions involving USB devices have taken center stage on the Information Security front. Actions such as lost or stolen USB devices that are loaded with data such as names, home addresses and phone numbers, Social Security numbers, and birth dates are becoming commonplace. Therefore, the ability as an organization to gain control over what is stored, how it is to be protected, and what to do when things go wrong is critical to the success of the organization.
If you or your organization ever needed a reason to initiate a USB Memory Device Policy in your workplace think about the following. Not too long ago the US military changed its policy on the use of personal USB memory devices. It seems that not only was critical information getting lost but the devices were being used as instruments by which military local area networks (LAN) were becoming infected with viruses, spyware, and malware. That being the case and with the military unable to check all the personal USB Devices that its personnel used, an immediate ban was placed.
Now the military can issue its own USB memory devices. This will allow control over what is issued and most importantly, who will have access to the devices. It also means that the military can now regulate the content, its use or misuse, and expectations of security. Additionally, the motoring now has the ability to act on any violation, whether it is inappropriate content or lack of security precautions taken.
Another example is as recent as April 22, 2009. According to the Privacyrights.org website, at FairPoint Communications, Inc., a Charlotte, NC company, "a worker's failure to abide by security precautions caused a portable data storage device containing employee information to disappear." It is estimated that the device contained employee information of about 4,400 current and former employees.
These two examples are but the tip of the iceberg. Certainly no organization wants to become an example for somebody else to use when talking about something bad happening. Therefore in order to help prevent you or your organization from becoming a victim of malware or viruses, the need to initiate some type of policy is essential. If your employees or contractors are using USB memory devices to hold your company's information, you need to know that you cannot look at the content of their devices even if you know there is data there. This means that your organization cannot effectively address how that information is protected or address the employee when the data is lost, stolen, or cannot be recovered. Therefore, now is the time to implement an organization wide policy on the use of USB memory devices. Once that decision is made to put into service a USB memory device policy the organization must act fast in order to minimize any downtime the changeover will incur.
The first step to take is to immediately ban all personal USB Devices. Depending on your organization's unique situation you can ban devices by close of business today or state that the transition will occur within the next five business days. Try not to take anything longer than that, with the exception of people who were on vacation, FMLA, or out of the country.
Either before or at the time of announcing the ban the organization should acquire its own USB memory devices. While it might be tempting to just run down to local Office Supply store and get whatever they have in stock, it's just not practical. Do a little homework and buying bulk will save some money and a lot of heartache, especially with those who demand a larger capacity device but get something smaller instead. On that premise, it behooves an organization to acquire devices of the same make, model, capacity, and even color for all employees.
Prior to issuing the devices, the company should take time to prepare and initiate the training program for all USB memory device users. This training should at least incorporate the following: what they will be used for, who is authorized to use them, what security precautions will be taken (i.e. data encryption or password protecting the device), notification procedures, and actions taken after a violation occurs.
Once all users are trained the memory devices can be issued. Of course after they have been perma-tagged with a unique identifier. The employee signs a hand receipt acknowledging receipt of the device and they sign a copy of an updated company acceptable use policy (which now includes reference to the USB memory device).
The acceptable use policy should include but not be limited to the following explaining the current situation and then the need for a USB memory device policy. Also included is the action to be taken by the employees, action to be taken by the company, the notification procedures (in the event of loss, theft, or damage). Also have clearly stated information on the action taken on the first violation and the second violation of the acceptable use policy. Lastly, the recurrence of training or retraining should be included.
As the USB memory devices are now company property they are subject to inspection. This is to ensure that the equipment is being used properly and within the guidelines of the AUP and the USBMDP. Periodic random inspections can be conducted on 20 to 30% of the devices on a monthly basis. While 100% must be inventoried annually, just like any other Technology Equipment or high value item needs to be inventoried. At this time, an inspection can take place as well as annual review of training and the updating of the
AUP.
Certainly there are more details to go into creating a complete USB memory device policy these are but a few highlights into creating more. The point that is trying to remain here is that the sooner you start controlling how your information is handled the sooner you are able to rest a little more comfortable and know that your information has a fighting chance when it comes to the possibility of having information fall into the wrong hands. Don't wait until someone reads about your company before you do something about information security.
References:
http://www.privacyrights.org/ar/ChronDataBreaches.htm
© 2009 David Guerra
|
