Removable media is a type of storage device that can be removed from a computer whilst the system is running. Examples include:
- USB memory sticks
- External hard drives
- CDs
- DVDs
- Mobile phones and tablet devices
Risks - removable media
Removable media introduces the capability to transfer and store huge volumes of sensitive information as well as the ability to import malicious content. The failure to manage the import and export of information using removable media could expose the University to the following risks:
Loss of information
Removable media is very easily lost, which could result in the compromise of large volumes of sensitive information stored on it. Some media types will retain information even after user deletion, placing information at risk where the media is used between systems (or when the media is disposed of).
Introduction of malware
The uncontrolled use of removable media can increase the risk of introducing malware to systems.
Reputational damage
The loss of media can result in significant reputational damage, even if there is no evidence of any specific data loss.
Portable device that can be connected to an information system (IS), computer, or network to provide data storage. These devices interface with the IS through processing chips and may load driver software, presenting a greater security risk to the IS than non-device media, such as optical discs or flash memory cards. Note: Examples include, but are not limited to: USB flash drives, external hard drives, and external solid state disk (SSD) drives. Portable Storage Devices also include memory cards that have additional functions aside from standard data storage and encrypted data storage, such as built-in Wi-Fi connectivity and global positioning system (GPS) reception. See also removable media.
Sources:
CNSSI 4009-2015 under portable storage device
See portable storage device.
Sources:
CNSSI 4009-2015
A system component that can communicate with and be added to or removed from a system or network and that is limited to data storage—including text, video, audio or image data—as its primary function (e.g., optical discs, external or removable hard drives, external or removable solid-state disk drives, magnetic or optical tapes, flash memory devices, flash memory cards, and other external or removable disks).
Sources:
NIST SP 800-53 Rev. 5 under portable storage device
A system component that can be inserted into and removed from a system, and that is used to store data or information (e.g., text, video, audio, and/or image data). Such components are typically implemented on magnetic, optical, or solid-state devices (e.g., floppy disks, compact/digital video disks, flash/thumb drives, external hard disk drives, and flash memory cards/drives that contain nonvolatile memory).
Sources:
NIST SP 800-171 Rev. 2 under portable storage device
The purpose of this Standard is to establish requirements to provide for the protection of information stored on portable electronic storage media and portable computing devices.
Background
Portable computing devices (including, but not limited to, laptops computers, PDAs, tablet PCs) and portable electronic storage media (including but not limited to, CDs and USB storage devices) are vulnerable to loss or theft. In the event of loss of theft, information stored on these devices or media may result in identity theft or unauthorized access to secure systems, networks, and resources.
The Information Classification Standard requires that Confidential (Level 1) information stored on portable computing devices and portable electronic storage media be encrypted or otherwise rendered unreadable and unusable by unauthorized persons.
Scope
This Standard applies to:
- All University faculty, staff, students, and volunteers (collectively referred to as “employees”), contractors and consultants,
- All University owned portable computing devices and/or portable electronic storage media,
- All CSULB Auxiliary owned portable computing devices and/or portable electronic storage media containing University confidential or internal use data/information,
- All Confidential (Level 1) and Internal Use (Level 2) data/information.
Portable Computing Devices
The following requirements apply to all University owned portable computing devices containing confidential or internal use data/information or any CSULB Auxiliary owned portable computing device containing University confidential or internal use data/information:
- Confidential (Level 1) information should not be stored on portable computing devices unless absolutely necessary and removed when the business reason for storage is no longer required. Level 1 or Level 2 information may not be stored on non-university/auxiliary owned portable computing devices.
- Physically secured when not in use.
- Encryption software must be loaded and correctly configured.
- Strong password protection rules for all user profiles.
- Operating system software must be kept current and antivirus software must be kept current on devices capable of running such software.
Portable Electronic Storage Media
The following requirements apply to all University/Auxiliary owned portable electronic storage media containing confidential or internal use data/information or any CSULB auxiliary owned portable electronic storage media containing University confidential or internal use data/information:
- Confidential (Level 1) information should not be stored on portable electronic storage media unless absolutely necessary and removed when the business reason for storage is no longer required. Method for removal is outlined in the Electronic Media Sanitization Procedure. Level 1 or Level 2 information may not be stored on personally owned portable electronic storage media.
- All files must be encrypted.
Disposal Requirements
All confidential or internal use information stored on portable computing devices or portable electronic storage media must be sanitized prior to disposal in accordance with the Electronic Media Sanitization Procedure.
Reporting Loss or Theft
The loss or theft of a portable computing device or portable electronic storage media within the scope of this standard must be reported to the employee’s appropriate administrator, University Police and the Information Security Office. If lost or stolen off-campus, local law enforcement must be notified and a police report obtained.