Write a new company policy for removable media. You have the choice to handle the situation as you see fit for
your organization and your risk management assessment. Options include accepting the risk and requiring
employees to take additional care in how they handle removable media, emphasizing to the workforce the risks
in lost data. Logging all files copied to and from removable media so the organization can assess what may be
on any given USB drive. Encrypting all removable media with a tool such as BitLocker. A combination of any or
all of these options and/or some other ideas you have on how to handle this risk for the organization.
Your policy should be well formatted, with no spelling or grammar errors, clear, concise, and understandable by
the workforce. The policy should briefly explain the problem, challenge, or risk it is designed to solve or mitigate, state the new requirements or rules, and briefly describe how you will perform the technical implementation.
Scenario:
Your company recently experienced a spate of incidents where thumb drives containing potentially sensitive
company documents were lost. In one instance a 32GB USB drive was turned in to the reception desk and
when the security team reviewed the contents it was discovered to have contained several documents with
sensitive financial information on a contract the company was negotiating with a major client.
In another reported incident a traveling marketing representative reported losing a 64GB thumb drive at some
point during a domestic business trip. While the marketing officer knew for sure some of the recently added
documents to the USB drive he was not sure about all the files on the drive since he had been using the same
drive for the past two years and rarely deleted content from the drive.