Approved USB devices use encryption
Demonstrate that all organizationally-approved USB storage devices use encryption and that technical controls prevent use of unencrypted or unauthorized USB devices on managed endpoints.
Description
What this control does
This control requires that all USB storage devices approved for organizational use employ hardware-based or software-enforced encryption to protect data at rest. Implementation typically involves maintaining an approved device list, enforcing device registration through endpoint management tools, and blocking unencrypted or unapproved USB media at the host level. The control reduces the risk of data exposure from lost, stolen, or improperly disposed USB devices by rendering stored data unreadable without proper authentication credentials.
Control objective
What auditing this proves
Demonstrate that all organizationally-approved USB storage devices use encryption and that technical controls prevent use of unencrypted or unauthorized USB devices on managed endpoints.
Associated risks
Risks this control addresses
- Unauthorized exfiltration of sensitive data through unmonitored, unencrypted removable media by malicious insiders
- Loss or theft of unencrypted USB devices containing personally identifiable information, intellectual property, or regulated data resulting in breach notification obligations
- Introduction of malware from externally-sourced USB devices lacking security controls or centralized management
- Inadvertent data spillage when employees use personal or unencrypted USB drives for work purposes without awareness of encryption requirements
- Forensic recovery of deleted sensitive files from discarded or reassigned USB devices that were never encrypted
- Regulatory non-compliance with data protection requirements mandating encryption of portable storage media containing protected health information, payment card data, or export-controlled technical data
Testing procedure
How an auditor verifies this control
- Obtain the current approved USB device list or asset register documenting make, model, serial numbers, assigned users, and encryption specifications for all authorized USB storage media.
- Review endpoint protection or device control policies configured in endpoint management platforms (e.g., Microsoft Intune, Jamf, CrowdStrike) to verify USB device whitelisting and encryption enforcement rules.
- Select a representative sample of at least 10 approved USB devices across different departments and physically inspect devices to confirm encryption capability through manufacturer specifications or device labeling.
- Connect sampled USB devices to test workstations and verify that encryption software prompts for authentication before granting access, or confirm hardware-based encryption activates automatically.
- Attempt to connect an unapproved, unencrypted USB device to a managed endpoint and confirm that the device is blocked, logged, or restricted per organizational policy.
- Review endpoint security logs or device control audit trails from the past 90 days to identify any instances of unauthorized USB device connections and verify incidents were detected and remediated.
- Interview IT asset management and security operations personnel to confirm processes for provisioning encrypted USB devices, decommissioning procedures including cryptographic erasure, and exceptions management.
- Validate that technical controls automatically block or alert on USB devices lacking encryption by reviewing configuration settings and testing detection capabilities in a controlled environment.
Where this control is tested