Problem solve Get help with specific problems with your technologies, process and projects.

How to create guidelines for using removable storage devices

Removable storage devices often sneak past the security radar; Expert Shon Harris explains how to incorporate portable storage into your organization's security policy.

It seems that a blind eye is being turned to removable storage devices because of their portability and ability to transfer large amounts of data (such as over 25 million veterans' personal data). Not many places seem to understand the true risks that removable storage devices pose. So I question, if you're responsible for information security, where do you draw the line between convenience and strict security guidelines?
Unfortunately, it's impossible to draw a line that works for every organization. Choosing between security and business functionality has always been a struggle and it is up to the security officer, or whoever has been delegated this type of position, to decide what is best for the organization. There will be times when security needs outweigh business functionality needs and vice versa.

However, here are three steps to help you.

  1. Examine what regulations you must comply with and how the methods used to transfer sensitive data can make your organization non-compliant. This will put you in a better position to "lay down the law" and obtain the necessary funding from management.

    Each of the following regulations has to secure some type of sensitive data. While none of them specifically require protection of removable devices, if sensitive data resides on these devices then they fall under the requirements of these regulations.

  2. Learn what sensitive data your users can access and potentially remove. Most environments have sensitive data transferred throughout the network and in too many accessible places. Centralize the organization's sensitive data in one or two locations, and encrypt it while at rest and in transit.

  3. Finally, implement strong access controls on the central locations where the data resides.

    Unfortunately, for most employees to do their work, you will need to allow sensitive data to reside in more places than you would prefer – as in user workstations and laptops. In this type of situation most organizations cannot ban the use of removable storage devices. To ensure sensitive data is properly protected, implement a product that controls how removable storage devices are used and monitor the type of data saved to these devices. Many of these products allow you to develop a "white list" of devices that are allowed. All other devices on the "black list" are disabled. Finally, consider implementing an encryption mechanism and password protection for the removable storage devices. Some of these products provide these options.

    Here are some vendors that provide these product types. (Note: I have not tested them and am not promoting them, however they may be helpful.)


It is true that removable devices usually fly under the security radar. This is because security teams are too busy attempting to secure the more traditional methods used for data transfer, and removable storage devices have not fully hit the consciousness of those responsible for securing sensitive data, yet. Do not overlook PDAs, digital cameras, smartphones, Bluetooth and infrared devices. These are all potential points of danger; all allow data into and out of your environment, and must be properly identified and controlled.

It is also necessary to make users accountable for their actions. This is where most organizations fall short. Integrate removable storage risks into your security policy. Provide configuration standards for the type of product you choose to purchase and implement. Integrate these types of risks into your security awareness training programs and when people do not do as they are told, management should hold them accountable and potentially make an example out of them. Sadly, users will usually ignore the rules unless the rules are accompanied with repercussions. Since organizations can now get hit with penalties themselves (SOX, GLBA, HIPAA, Privacy laws, etc.) users need to be forced to act responsibly.

More Information

  • Learn how to encrypt and password-protect removable storage devices.
  • Learn how to safeguard stored data.
  • This was last published in September 2006

    Dig Deeper on Data security strategies and governance

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.