Under A.8.3.1 Management of Removable Media in Annex A, organisations must be able to demonstrate that the risks posed by removable media to the organisation are controlled. ISO 27001 describes this as implementing procedures in line with the classification scheme adopted by the organisation. But what does this mean? And how can the management of removable media be achieved?
As many modern day businesses are aware, there is a genuine requirement to allow flexibility in the work place. Employees no longer work on a single workstation in a fixed location, the workforce is becoming more and more mobile and with that require the tools to be able to transfer files and documents efficiently.
For example, an employee may wish to work on a report from home and then bring into the office to finalize and send onto a client. In this scenario, the easiest method for an employee is to use removable media to transfer the document to their corporate machine. But with this example comes many risks..
In recent years, the use of removable media has been synonymous with virus transfer thanks to a number of highly publicized cases. In these examples, it is often the lack of technical control and user awareness that has led to malware propagation to a corporate environment – often originating from a users home computer. Using the above example, sophisticated malware may attach to removable media and transfer onto a corporate device and onto the network causing disastrous effects.
The biggest risk posed by removable media often comes from employees using media on personal devices before transferring back to the corporate environment.
So, how can this risk be managed while still allowing flexibility for the workforce?
A suggested approach may be as follows:
- Define a removable media policy. While this does not necessarily have to be a separate policy, it must define the organisations stance on removable media and expectations of users. For example, if the organisation identifies the use of removable media as too much of a risk to manage securely, the stance may be on a ‘default deny’ or ‘allow by exception’basis. Users should be informed and trained on the risk of using removable media, and the expectations of managing removable media securely.
- Implement technical controls. Once the organisation has identified their stance on removable media, technical controls should be implemented to support realization of this policy. For example, if an allow by exception stance is taken then all USB ports should be disabled by group policy, and an exception group set up within AD to manage those users that are permitted access to ports.
To support a lock down of ports, endpoint security controls should be investigated and the organisation may wish to ensure anti-virus scans are initiated on connection. Finally, the organisation should ensure removable media is not permitted to execute without user approval – thus reducing the likelihood of malware executing in the background.
- Train users. Further to point 1, users should be trained via security awareness training on the risks of removable media and malware in general. Users should be aware of where to report malware incidents that may occur as a result of removable media usage and this should be incorporated into incident management procedures.
- Provide alternative methods for file transfer. If the organisation opts for a default deny stance, then alternative methods of file transfer should be implemented. For example, the use of a cloud service or Dropbox should be investigated to allow users to store files on a central cloud service that is accessible from any device. As with any option though, this may present further risks so should be investigated as an alternative solution.
- Encrypt removable media and audit file transfers. While the main risk organisations focus on is malware propagation, removable media is often a legitimate path for data ex filtration or loss. Employees transferring data onto USB sticks that are not encrypted, for example, may represent a real risk to the organisation if lost or stolen – especially if that device contains sensitive data. Organisations may wish to invest in managed, encrypted removable media to provision to users. This ensures that any lost or stolen media with sensitive data on cannot be recovered.
ISO 27001 does not mandate that removable media cannot be used, it just recommends that media is used in a secure manner. By specifying the organisations stance and implementing controls to support this policy, the organisation can gain a level of control over removable media that may otherwise pose a very high risk.
Organisations that require the use of removable media often opt to lock down USB ports and open these by exception, with supporting endpoint and anti-virus controls. For further control, the use of managed, encrypted removable media provides assurance that any data on lost/stolen devices cannot be compromised. Whichever approach the organisation decides to take, it should be mandated by policy, communicated to users and enforced technically.