How to create guidelines for using removable storage devices

By Shon Harris | Sep 5, 2006

0 comments

Digg

 Email

 Print

It seems that a blind eye is being turned to removable storage devices because of their portability and ability to transfer large amounts of data (such as over 25 million veterans' personal data). Not many places seem to understand the true risks that removable storage devices pose. So I question, if you're responsible for information security, where do you draw the line between convenience and strict security guidelines? Unfortunately, it's impossible to draw a line that works for every organization. Choosing between security and business functionality has always been a struggle and it is up to the security officer, or whoever has been delegated this type of position, to decide what is best for the organization. There will be times when security needs outweigh business functionality needs and vice versa.

However, here are three steps to help you.

1. Examine what regulations you must comply with and how the methods used to transfer sensitive data can make your organization non-compliant. This will put you in a better position to 'lay down the law' and obtain the necessary funding from management.

   Each of the following regulations has to secure some type of sensitive data. While none of them specifically require protection of removable devices, if sensitive data resides on these devices then they fall under the requirements of these regulations.

   • Health Information Portability and Accountability Act (HIPAA)
   • Personal Information Protection and Electronic Documents Act (PIPEDA)
   • Gramm-Leach-Bliley Act (GLBA)
   • California Senate Bill 1386
   • Sarbanes-Oxley Act (SOX)
   • SEC Rule 17a
2. Learn what sensitive data your users can access and potentially remove. Most environments have sensitive data transferred throughout the network and in too many accessible places. Centralize the organization's sensitive data in one or two locations, and encrypt it while at rest and in transit.

 

3. Finally, implement strong access controls on the central locations where the data resides.

   Unfortunately, for most employees to do their work, you will need to allow sensitive data to reside in more places than you would prefer – as in user workstations and laptops. In this type of situation most organizations cannot ban the use of removable storage devices. To ensure sensitive data is properly protected, implement a product that controls how removable storage devices are used and monitor the type of data saved to these devices. Many of these products allow you to develop a 'white list' of devices that are allowed. All other devices on the 'black list' are disabled. Finally, consider implementing an encryption mechanism and password protection for the removable storage devices. Some of these products provide these options.

   Here are some vendors that provide these product types. (Note: I have not tested them and am not promoting them, however they may be helpful.)

   http://www.pointsec.com/
   http://www.securewave.com/home.jsp
   http://www.gfi.com/endpointsecurity/
   http://www.devicewall.com/?gclid=CJSu8byCnoYCFSA7SgodMwnkug
   http://www.trigeo.com/products/usbdefender/
   http://www.reflex-magnetics.com/products/disknetpro/

0 comments

Digg

 Email

 Print