Defining the types of removable media used

Critical
High
Normal
Low

Removable media includes e.g. flash memories, SD memories, removable storage drives, USB sticks and DVDs.

The organization has defined which removable media is allowed to be used.

Connected other frameworks and requirements:
8.3.1: Management of removable media
ISO 27001
8.3.3: Physical media transfer
ISO 27001
A.11.4: Protecting data on storage media leaving the premises
ISO 27018
13.2.1: Information transfer policies and procedures
ISO 27001
13: Communications security
ISO 27018

Encryption of portable media

Critical
High
Normal
Low

Storing confidential information on removable media should be avoided. When removable media is used to transfer confidential information, appropriate security is used (e.g., full disk encryption with pre-boot authentication).

Connected other frameworks and requirements:
8.3.1: Management of removable media
ISO 27001
8.3.3: Physical media transfer
ISO 27001
10.1.1: Policy on the use of cryptographic controls
ISO 27001
PR.PT-2: Removable media
NIST CSF
A.11.4: Protecting data on storage media leaving the premises
ISO 27018

Locked cabinets for storing devices including confidential data

Critical
High
Normal
Low

Removable media must be stored in a safe, other locker or other secure furniture. They must not be stored around the office without careful thought.

Connected other frameworks and requirements:
6.2.2: Teleworking
ISO 27001
8.3.1: Management of removable media
ISO 27001
7.10: Storage media
ISO 27001

Detailed rules for the management of removable media

Critical
High
Normal
Low

When removable media is an important part of an organisation's operations, more specific rules have been defined for securing removable media and the information they contain.

  • when a removable media is transferred outside the organization, it is impossible to restore its contents if the content is no longer needed;
  • the transfer of media from the organization required a permiossion and all transfers will be logged
  • removable media are protected by encryption when the confidentiality and integrity of the information is important
  • information on removable media is regularly passed on to unused media so that the media does not deteriorate and the data becomes unreadable before that time;
  • multiple copies of valuable data are stored on different media to reduce the risk of simultaneous data damage or loss
Connected other frameworks and requirements:
8.3.1: Management of removable media
ISO 27001
8.3.3: Physical media transfer
ISO 27001
13.2.1: Information transfer policies and procedures
ISO 27001
PR.DS-3: Asset management
NIST CSF
PR.PT-2: Removable media
NIST CSF

Minimization of information outside data systems

Critical
High
Normal
Low

A large amount of valuable information in an organization has often accumulated over time into hard-to-find and manageable unstructured data — excels, text documents, intranet pages, or emails.

Once this information has been identified, a determined effort can be made to minimize its amount.Important data outside data systems is subject to one of the following decisions:

  • move into a data system
  • get rid of (when the information is old, no longer necessary or otherwise irrelevant)
  • is kept in use and a responsible person is appointed to manage the risks
Connected other frameworks and requirements:
32. Security of processing
GDPR
8.1.3: Acceptable use of assets
ISO 27001
8.3.1: Management of removable media
ISO 27001
9.4.4: Use of privileged utility programs
ISO 27001
A.11.2: Restriction of the creation of hardcopy material
ISO 27018
No items found.