Back to T1.4.1 - P1 - MANAGEMENT OF REMOVABLE MEDIA
Removable media such as optical discs (Blu-ray discs, DVDs, CDs), memory cards (CompactFlash card, Secure Digital card, Memory Stick), floppy disks / zip disks, disk packs, and magnetic tapes, are typically found in scanners, copiers, printers, notebook computers, workstations, network components, and mobile devices.
The following guidelines for the management of removable media should be considered:
- A. If no longer required, the contents of any re-usable media that are to be removed from the entity should be made unrecoverable; data wiping software could be used for instance
- B. Where necessary and practical, authorization should be required for media removed from the entity and a record of such removals should be kept in order to maintain an audit trail
- C. All media should be stored in a safe, secure environment, in accordance with manufacturers’ specifications
- D. If data confidentiality or integrity are important considerations, cryptographic techniques should be used to protect data on removable media
- E. To mitigate the risk of media degrading while stored data are still needed, the data should be transferred to fresh media before it gets unreadable
- F. Multiple copies of valuable data should be stored on separate media to further reduce the risk of coincident data damage or loss
- G. Registration of removable media should be considered to limit the opportunity for data loss;
- H. Prevent content auto-run on laptops, workstations, and servers for removable media
- I. Removable media drives should only be enabled if there is a business reason for doing so
All procedures and authorization levels should be documented.
