PS-4 – Removable Media

What is this control really about?

This control is about mitigating the risks that a removable media can introduce into the organization. By removable media we mean USB memory sticks, flash drives, CDs, DVDs, External Hard Drives, Mobile phones and Tablet devices. Using removable media can be dangerous because it can introduce malware into an organization. Ideally the best is to discourage the use of removable media, but if must, ensure there are rules your employees would need to follow.

Available tools in the marketplace

The following listing is “crowdsourced” from our customer base or from external research. TrustCloud does not personally recommend any of the tools below, because we haven’t personally used them. 

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• Externally outsourced template from the US patent site
• Externally outsourced template from the Delta State University

What is required to implement this control?

It is important to define your stand when it comes to the use of removable media and document it. Secondly, it is important to include preventive measures to mitigate the risks in the event of a use of a removable media. Preventive measures include:

• Antivirus /antimalware
• Disabling auto-run and autoplay features
• Disabling USB flash drives
• Employee security awareness

What evidence is the auditor looking for?

• Documented procedure regarding removable media

An example of what an artifact can look like

1- Documented procedure regarding removable media