Be careful about using any one organization as the model for designing security in your enterprise, particularly when the organization is government- or military-based. Just because the Department of Defense believes that banning USB drives is a worthwhile security/usability trade-off, that doesn't mean it is an acceptable option for your business. In general, people who work for the government and the military are wiling to put up with more inconvenience in the name of security. But is the average office worker? Not so much.
Before deciding on a mandate, I suggest performing some sort of risk assessment, and then find a workable solution -- one that won't make users want to cover you with tar and feathers. In general, it's a good idea to look at monitoring products, combined with data leak prevention (DLP) technology when appropriate. This is often an ideal strategy because it allows users to perform their day-to-day duties without overtly compromising security. It also provides the necessary monitoring to detect whether data is currently leaking, or has recently leaked out of the enterprise.
Going beyond monitoring to a full DLP suite offers the advantage of being able to notify employees in situations with potential policy violations. For instance, you may have a policy against putting company confidential information on removable media, but allow non-confidential data such as marketing materials to be moved around. As such, this software is useful because it can remind users of policies when they start to copy data and also let them know they are being monitored. This allows users the flexibility to do their jobs well and take an active role in protecting corporate data.
Dig Deeper on Information security policies, procedures and guidelines
Related Q&A from David Mortman
While IT security consultancies can be helpful when trying to find flaws in an information security management framework, there are ways to do it ... Continue Reading
PCI DSS audits can be a lot easier if the scope is narrow. Learn how to consolidate and store sensitive data in order to best reduce PCI DSS security... Continue Reading
When hiring an information security team member, how important is a certification in information security? Learn how to talk to executives about ... Continue Reading