Be careful about using any one organization as the model for designing security in your enterprise, particularly when the organization is government- or military-based. Just because the Department of Defense believes that banning USB drives is a worthwhile security/usability trade-off, that doesn't mean it is an acceptable option for your business. In general, people who work for the government and the military are wiling to put up with more inconvenience in the name of security. But is the average office worker? Not so much.
Before deciding on a mandate, I suggest performing some sort of risk assessment, and then find a workable solution -- one that won't make users want to cover you with tar and feathers. In general, it's a good idea to look at monitoring products, combined with data leak prevention (DLP) technology when appropriate. This is often an ideal strategy because it allows users to perform their day-to-day duties without overtly compromising security. It also provides the necessary monitoring to detect whether data is currently leaking, or has recently leaked out of the enterprise.
Going beyond monitoring to a full DLP suite offers the advantage of being able to notify employees in situations with potential policy violations. For instance, you may have a policy against putting company confidential information on removable media, but allow non-confidential data such as marketing materials to be moved around. As such, this software is useful because it can remind users of policies when they start to copy data and also let them know they are being monitored. This allows users the flexibility to do their jobs well and take an active role in protecting corporate data.
This was first published in December 2008