Problem solve Get help with specific problems with your technologies, process and projects.

Should enterprises ban USBs because the DoD banned them?

When creating a portable device security policy, should an organization take into account the policies of the federal government? In this security management expert response, learn what can be helpful to keeping USB devices secure.

The Department of Defense recently banned the use of all USB thumb drives. Do you think this would be a good position to take in all enterprises in which end users regularly interact with highly sensitive data?

Be careful about using any one organization as the model for designing security in your enterprise, particularly when the organization is government- or military-based. Just because the Department of Defense believes that banning USB drives is a worthwhile security/usability trade-off, that doesn't mean it is an acceptable option for your business. In general, people who work for the government and the military are wiling to put up with more inconvenience in the name of security. But is the average office worker? Not so much.

Before deciding on a mandate, I suggest performing some sort of risk assessment, and then find a workable solution -- one that won't make users want to cover you with tar and feathers. In general, it's a good idea to look at monitoring products, combined with data leak prevention (DLP) technology when appropriate. This is often an ideal strategy because it allows users to perform their day-to-day duties without overtly compromising security. It also provides the necessary monitoring to detect whether data is currently leaking, or has recently leaked out of the enterprise.

Going beyond monitoring to a full DLP suite offers the advantage of being able to notify employees in situations with potential policy violations. For instance, you may have a policy against putting company confidential information on removable media, but allow non-confidential data such as marketing materials to be moved around. As such, this software is useful because it can remind users of policies when they start to copy data and also let them know they are being monitored. This allows users the flexibility to do their jobs well and take an active role in protecting corporate data.

More information:

This was last published in December 2008

Dig Deeper on Information security policies, procedures and guidelines

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.